By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to list S3 bucket via FTP client

0

I have setup AWS Transfer family using a NLB, VPC, subnet, etc. I can connect, authenticate, and attempt to list the "directory" but it times out when trying to list.

FileZilla debug

10:29:36	Status:	Connection established, waiting for welcome message...
10:29:36	Trace:	CFtpControlSocket::OnReceive()
10:29:36	Response:	220 Service ready for new user.
10:29:36	Trace:	CFtpLogonOpData::ParseResponse() in state 1
10:29:36	Trace:	CControlSocket::SendNextCommand()
10:29:36	Trace:	CFtpLogonOpData::Send() in state 2
10:29:36	Command:	AUTH TLS
10:29:36	Trace:	CFtpControlSocket::OnReceive()
10:29:36	Response:	431-Welcome to the Epic CleanTec FTP server
10:29:36	Response:	431 Service is unavailable.
10:29:36	Trace:	CFtpLogonOpData::ParseResponse() in state 2
10:29:36	Trace:	CControlSocket::SendNextCommand()
10:29:36	Trace:	CFtpLogonOpData::Send() in state 3
10:29:36	Command:	AUTH SSL
10:29:36	Trace:	CFtpControlSocket::OnReceive()
10:29:36	Response:	431 Service is unavailable.
10:29:36	Trace:	CFtpLogonOpData::ParseResponse() in state 3
10:29:36	Status:	Insecure server, it does not support FTP over TLS.
10:29:36	Trace:	CControlSocket::SendNextCommand()
10:29:36	Trace:	CFtpLogonOpData::Send() in state 5
10:29:36	Trace:	CFtpControlSocket::SetAsyncRequestReply
10:29:36	Trace:	CControlSocket::SendNextCommand()
10:29:36	Trace:	CFtpLogonOpData::Send() in state 6
10:29:36	Command:	USER ECT_FTP_User
10:29:36	Trace:	CFtpControlSocket::OnReceive()
10:29:36	Response:	331 User name okay, need password for ECT_FTP_User.
10:29:36	Trace:	CFtpLogonOpData::ParseResponse() in state 6
10:29:36	Trace:	CControlSocket::SendNextCommand()
10:29:36	Trace:	CFtpLogonOpData::Send() in state 6
10:29:36	Command:	PASS ****************
10:29:38	Trace:	CFtpControlSocket::OnReceive()
10:29:38	Response:	230 User logged in, proceed.
10:29:38	Trace:	CFtpLogonOpData::ParseResponse() in state 6
10:29:38	Trace:	CControlSocket::SendNextCommand()
10:29:38	Trace:	CFtpLogonOpData::Send() in state 10
10:29:38	Command:	OPTS UTF8 ON
10:29:38	Trace:	CFtpControlSocket::OnReceive()
10:29:38	Response:	200 Command OPTS okay.
10:29:38	Trace:	CFtpLogonOpData::ParseResponse() in state 10
10:29:38	Trace:	CControlSocket::SendNextCommand()
10:29:38	Trace:	CFtpLogonOpData::Send() in state 13
10:29:38	Command:	OPTS MLST size;modify;type;
10:29:38	Trace:	CFtpControlSocket::OnReceive()
10:29:38	Response:	200 Command OPTS okay.
10:29:38	Trace:	CFtpLogonOpData::ParseResponse() in state 13
10:29:38	Status:	Logged in
10:29:38	Trace:	Measured latency of 513 ms
10:29:38	Trace:	CFtpControlSocket::ResetOperation(0)
10:29:38	Trace:	CControlSocket::ResetOperation(0)
10:29:38	Trace:	CFtpLogonOpData::Reset(0) in state 15
10:29:38	Trace:	CFileZillaEnginePrivate::ResetOperation(0)
10:29:38	Trace:	CControlSocket::SendNextCommand()
10:29:38	Trace:	CFtpListOpData::Send() in state 0
10:29:38	Status:	Retrieving directory listing of "/epiccleantec-data"...
10:29:38	Trace:	CFtpChangeDirOpData::Send() in state 0
10:29:38	Trace:	CFtpChangeDirOpData::Send() in state 2
10:29:38	Command:	CWD /epiccleantec-data
10:29:39	Trace:	CFtpControlSocket::OnReceive()
10:29:39	Response:	250 Directory changed to /epiccleantec-data
10:29:39	Trace:	CFtpChangeDirOpData::ParseResponse() in state 2
10:29:39	Trace:	CFtpControlSocket::ResetOperation(0)
10:29:39	Trace:	CControlSocket::ResetOperation(0)
10:29:39	Trace:	CFtpChangeDirOpData::Reset(0) in state 2
10:29:39	Trace:	CFtpListOpData::SubcommandResult(0) in state 1
10:29:39	Trace:	CControlSocket::SendNextCommand()
10:29:39	Trace:	CFtpListOpData::Send() in state 2
10:29:39	Trace:	CFtpRawTransferOpData::Send() in state 0
10:29:39	Trace:	CFtpRawTransferOpData::Send() in state 1
10:29:39	Command:	TYPE I
10:29:39	Trace:	CFtpControlSocket::OnReceive()
10:29:39	Response:	200 Command TYPE okay.
10:29:39	Trace:	CFtpRawTransferOpData::ParseResponse() in state 1
10:29:39	Trace:	CControlSocket::SendNextCommand()
10:29:39	Trace:	CFtpRawTransferOpData::Send() in state 2
10:29:39	Command:	PORT 192,168,0,41,226,182
10:29:39	Trace:	CFtpControlSocket::OnReceive()
10:29:39	Response:	502 Command PORT not implemented.
10:29:39	Trace:	CFtpRawTransferOpData::ParseResponse() in state 2
10:29:39	Trace:	CControlSocket::SendNextCommand()
10:29:39	Trace:	CFtpRawTransferOpData::Send() in state 2
10:29:39	Command:	PASV
10:29:39	Trace:	CFtpControlSocket::OnReceive()
10:29:39	Response:	227 Entering Passive Mode (54,176,120,190,32,2)
10:29:39	Trace:	CFtpRawTransferOpData::ParseResponse() in state 2
10:29:39	Trace:	CControlSocket::SendNextCommand()
10:29:39	Trace:	CFtpRawTransferOpData::Send() in state 4
10:29:39	Trace:	Binding data connection source IP to control connection source IP 192.168.0.41
10:29:39	Command:	MLSD
10:29:39	Trace:	CFtpControlSocket::OnReceive()
10:29:39	Response:	150 
10:29:39	Trace:	CFtpRawTransferOpData::ParseResponse() in state 4
10:29:39	Trace:	CControlSocket::SendNextCommand()
10:29:39	Trace:	CFtpRawTransferOpData::Send() in state 5
10:30:00	Error:	The data connection could not be established: ETIMEDOUT - Connection attempt timed out
10:30:00	Trace:	CTransferSocket::TransferEnd(3)

WinSCP log

 2023-11-20 10:42:29.917 Using FTP protocol.
. 2023-11-20 10:42:29.917 Doing startup conversation with host.
> 2023-11-20 10:42:29.933 PWD
< 2023-11-20 10:42:29.964 257 "/" is current directory.
. 2023-11-20 10:42:29.964 Got reply 1 to the command 16
. 2023-11-20 10:42:29.964 Getting current directory name.
. 2023-11-20 10:42:29.993 Session upkeep
. 2023-11-20 10:42:29.993 Retrieving directory listing...
> 2023-11-20 10:42:29.993 TYPE A
< 2023-11-20 10:42:30.026 200 Command TYPE okay.
> 2023-11-20 10:42:30.027 PASV
< 2023-11-20 10:42:30.079 227 Entering Passive Mode (54,176,120,190,32,6)
> 2023-11-20 10:42:30.079 MLSD
. 2023-11-20 10:42:30.079 Connecting to 54.176.120.190:8198 ...
< 2023-11-20 10:42:30.114 150 
. 2023-11-20 10:42:45.656 Timeout detected. (data connection)
. 2023-11-20 10:42:45.656 Could not retrieve directory listing
. 2023-11-20 10:42:45.656 Got reply 1004 to the command 2
* 2023-11-20 10:42:45.756 (EFatal) **Lost connection.**
* 2023-11-20 10:42:45.756 Timeout detected. (data connection)
* 2023-11-20 10:42:45.756 Could not retrieve directory listing
* 2023-11-20 10:42:45.756 Error listing directory '/'.

I am not sure why it cannot list the contents of the s3. This worked when I had it as an SFTP using the same settings, but didn't have an NLB.

Topics
Migration & Modernization
Tags
AWS Transfer Family
Language
English
Mav
asked 5 months ago488 views
3 Answers
0

even port 20 open in the SG to 0.0.0.0/0 is not changing the behavior. I also created a listener in the LB just in case, but it also change nothing. There is nothing else in the VPC except for the AWS Transfer Family server. There are no EC2 instances. There is no firewall. There is no Direct Connect.

Mav
answered 5 months ago
  • Steve_M EXPERT
    5 months ago

    From where are you running FileZilla and WinSCP?

    According to https://repost.aws/knowledge-center/aws-sftp-endpoint-type a plain FTP endpoint (as opposed to SFTP or FTPS) can only be provisioned in a VPC with internal access over Direct Connect or VPN.

    So it would be helpful to know how you are accessing it.

    There was another user with a similar (but not identical) question a couple of months ago, can you check if you are running FileZilla and WinSCP in passive mode https://repost.aws/questions/QUfyHRwryoTRaQqhtyInAekg/pubblish-ftp-on-the-web

  • Steve_M EXPERT
    5 months ago

    If it's FTP then it has to be non-internet-facing, there wasn't really a choice.

    There's discussion of another similar (but again, not identical) question here, and worth noting that while port 21 is inbound from the FileZilla machine to AWS Transfer, port 20 is outbound from AWS Transfer. So the routing table & security groups need to be setup to allow that https://repost.aws/questions/QUZ7vZkxClSZyzC4WwdR5bRQ/host-https-ftp-on-public-internet

  • Mav
    5 months ago

    I am using a NLB to get around the issue of the dumb choice they made to make this non-internet facing. I am accessing it from the internet via the NLB DNS. I have a listener on 21 which sends the traffic on to the FTP server. I have essentially followed https://artem.services/?p=2086&lang=en (sorry pasted the wrong blog before)

  • Mav
    5 months ago

    I have 20-21 open in the SG and ACL to all IPV4

  • Steve_M EXPERT
    5 months ago

    As well as ports 8192–8200 ?

0

FileZilla: Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out

WinSCP: Timeout detected. (data connection)

FTP uses two ports, port 21 is the control port and port 20 is used for data transfer.

Make sure that both these ports are open in the security group (and/or NACL) associated with the AWS Transfer server.

And depending on where you're accessing the AWS Transfer server from, ensure that both ports are open all along the way. This could be secuerity group rules relating to an EC2 instance in the same VPC, or firewall rules allowing access along a Direct Connect link to on-prem, or anything else.

profile picture
EXPERT
Steve_M
answered 5 months ago
0

Ok, finally fixed it. Apparently I forgot to click register on all the ports >.<

Mav
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content