XP SP2 Firewall and Secure FX v.2.0.4

[elcanche]

I just installed SP2 on my computer and am having touble connecting to FTP servers via Secure FX. The problem occurs only when the Windows Firewall is enabled. I have tried adding port 21 to the exception list and also adding the SecureFX program to the exception list--to no avail.

Here is the error I get:
i Control connection could not be established (10061).

What am I missing? Is there something I need to do on the Global Configuration, Firewall settings screen?

I would appreciate any ideas you can offer.

Peter

[rlpm]

Peter,

I am sorry to hear that you are experiencing problems with SecureFX and Windows XP sp2. As far as I know, Windows Firewall only blocks inbound traffic (listening sockets), not outbound traffic. In order to help you resolve this problem, please reply with the following information:

1) Whether the "Display a Notification when Windows Firewall blocks a program" setting is enabled (checked) in the "Exceptions" tab of Windows Firewall control panel.
2) The rest of the log from SecureFX.
3) Whether you are atempting SSH port forwarding through Entunnel, SecureCRT, or some other SSH client.
4) Whether you have another software firewall installed, such as ZoneAlarm, BitDefender, etc.

Regards,
--rlpm

[elcanche]

1) Yes, "Display a Notification when Windows Firewall blocks a program" is enabled.

2) Where should I go to get additional log information?

3) I use SafeTP. However, when I disable SafeTP, I observe the same behavior.

4) I have no other client side firewall in use. My internet connection does go through a Linksys Router though. I upgraded the firmware on it yesterday to the latest version to see if that would solve it, but no luck!

By the way, when I try it today, it says:

i Control connection successfully established.

And then it hangs with "Resolving hostname..." in the bottom of the connection window.

Not sure why the behavior has changed.

[lzagreus]

Hello,

I am having the same problem reported by elcanche. As soon as I installed Windows XP SP2, Secure FX stopped working with the behavior described above.

"i Control connection successfully established.

And then it hangs with "Resolving hostname..." in the bottom of the connection window. "

I am using SecureFX v 1.9.6.

If I turn off the XP firewall, SecureFX works just as before. Turn the firewall back on, and no luck. I tried adding SecureFX as one of the exception programs, but that didn't help.

Any clues? Thanks!

Leah

[jillc]

We are about to post a new SecureFX FAQ about this issue.

Enabling the XP SP2 firewall may cause a delay when establishing a connection to certain FTP servers. This lag may occur when connecting via FTP even when an exception in the firewall configuration is created for SecureFX/AbsoluteFTP, and regardless of the PASV/PORT setting.

This delayed response from some FTP servers will at first appear to be a hang or failed connection after establishing the control connection. You will see the following line of trace information as the last line in SecureFX's log view:

i Control connection successfully established.

Waiting for approximately 20-30 seconds will result in the connection being fully established.

Here's what's going on in the background:

When SecureFX/AbsoluteFTP makes an outgoing connection to some FTP servers (wu.ftpd is known to have this problem, for example), the FTP server tries to authenticate a user based on auth/ident service (RFC 912, 931, and 1413) by attempting to connect to the client's machine on port 113.

With the Windows XP SP2 firewall enabled, such packets are dropped and the FTP server continues to attempt auth/ident connections on port 113 until a timeout occurs. Here is a segment of the Windows firewall log that shows the outgoing connection to the FTP server by SecureFX, and the resulting incoming connection attempts from the FTP server on port 113:

192.168.0.200 = Machine running wu.ftpd server
192.168.0.100 = Machine running SecureFX/AbsoluteFTP

#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2005-02-02 11:56:32 OPEN TCP 192.168.0.100 192.168.0.200 1410 21 - - - - - - - - -
2005-02-02 11:56:32 DROP TCP 192.168.0.200 192.168.0.100 33898 113 60 S 2999014174 0 5840 - - - RECEIVE
2005-02-02 11:56:35 DROP TCP 192.168.0.200 192.168.0.100 33898 113 60 S 2999014174 0 5840 - - - RECEIVE
2005-02-02 11:56:41 DROP TCP 192.168.0.200 192.168.0.100 33898 113 60 S 2999014174 0 5840 - - - RECEIVE

Once the ident/auth timeout occurs on the FTP server side, the FTP server will move on to normal authentication via USER and PASS.

To resolve this time lag issue, create a port exception in the Windows firewall for port 113. Since there isn't anything listening on port 113 on the XP machine, the port exception will cause the FTP server to receive a "Connection Refused" error when the auth/ident connection attempt is made to port 113. Once the FTP server receives this error, the server will switch to normal USER and PASS authentication, significantly reducing the lag time before connection.

Please let us know if this solution does not resolve your problem.

--Jill

[vali]

I try to solve this problem ( 30 sec ftp browse delay ) from about 1 week since I installed my XP SP2 but until now nothing seems to work!
I found your post about creating a port exception in the Windows firewall for port 113 and I was very impressed when I saw it's really work !
For first time my IE browse ftp without any delay

Thx again for your great solution