Environment
Novell Open Enterprise Server 11 (OES 11)
Novell Open Enterprise Server 2015 (OES 2015)
Situation
OES's "Novell FTP" has been installed, and the "remote_server" feature has been added to allow FTP users to reach other OES NCP servers in the tree during their FTP session. An FTP client has connected to the FTP server (ServerA) and is accessing a remote server (ServerB). Between ServerA and ServerB is a slow WAN link.
Attempts to transfer files from ServerB to the client might fail. In some cases, the client or server might announce the operation has timed out. The FTP server might also announce that it could not form a connection back to the client's port. For example:
425 Could not open data connection to port 63877: Connection timed out
In theory, this might also happen while trying to obtain a long directory listing.
Resolution
The easiest solution is usually to configure the FTP client is use passive data transfers, rather than active.
Other likely solutions include:
- Identifying any firewall protecting the FTP client side, and (if possible) configuring it to allow ports opened by Stateful Packet Inspection to remain open longer, before timing out and closing the port.
- Increasing the speed of the WAN link.
- Attempting the transfer when the WAN link is less busy.
- Altering the layout of FTP servers such that the FTP client can connect to an FTP server which is on the same LAN as ServerB. Having a slow link between FTP client and FTP server will cause less problems than a slow link between FTP Server and remote OES NCP server.
Cause
Many FTP clients use "active" data connection by default, which means that the client will announce a dynamically chosen port on which it will listen, and then the server must connection to the client in order to transfer data. When asked to provide a file to the client, pure-ftpd (used by Novell FTP) will typically read some of that file before it opens the connection back to the client. If conditions are slow enough or congested enough, it is possible that by the time pure-ftpd attempts to open that connection, the client port may no longer be listening, or a firewall in between (using Stateful Packet Inspection to dynamically open ports for FTP data transfers) may no longer be allowing traffic on the port to pass.
Passive data connections will avoid this particular problem, because they work in the opposite (and more expected) direction. The FTP server (ServerA) will announce a port of its own where it is listening, and the client will connect to it. This avoids the delay period between ServerA reading some of the file from ServerB, and subsequently opening the connection. With passive connections, the client does not wait any significant time before it opens the connection.