Re: [squid-users] FTP: Error NLST Unable to build data connection: Invalid argument

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 14 Sep 2010 01:23:03 +0000

On Mon, 13 Sep 2010 21:48:43 +0200, David Touzeau <david_at_touzeau.eu>
wrote:
> Dear
>
> Here it is the complete debug sequence, but i don't know why NLST is
> blocked
> The first protocol discuss is ok but when squid want to send NLST, the
> error is performed.
>

NLST itself is not blocked. All it does is request that the remote server
open a connection to the previously indicated (EPRT)

<snipping all but the FTP flow bits (debug_options 84,2) >

> 2010/09/13 21:39:36.925| ftp>> 331 Anonymous login ok, send your
> complete email address as your password
> 2010/09/13 21:39:36.925| ftp<< PASS david_at_touzeau.eu
> 2010/09/13 21:39:37.156| ftp>> 230 Anonymous login ok, restrictions
apply.
> 2010/09/13 21:39:37.156| ftp<< TYPE A
> 2010/09/13 21:39:37.216| ftp>> 200 Type set to A
> 2010/09/13 21:39:37.216| ftp<< EPRT |1|192.168.1.19|36793|
> 2010/09/13 21:39:37.276| ftp>> 200 EPRT command successful
> 2010/09/13 21:39:37.276| ftp<< LIST
> 2010/09/13 21:39:37.334| ftp>> 425 Unable to build data connection:
> Invalid argument
> 2010/09/13 21:39:37.334| ftp<< NLST
> 2010/09/13 21:39:37.393| ftp>> 425 Unable to build data connection:
> Invalid argument
<snip>

As you can see Squid is informing the remote server that it has opened a
port and is awaiting connections to 192.168.1.19:36793.

Since you have NAT in place your firewall is supposed to be doing some NAT
magic and altering that to your public IP and a port-forwarded port. When
the remote server tries to connect to whatever its given by the firewall it
fails. First with LIST then NLST. Attempting to download files to this FTP
server via their full URI will hit the same problem.

 * Squid should be starting with EPSV not EPRT anyway. Check that your
ftp_pasv directive is set to "on" (default), or remove it from the config
altogether.

 * Check your firewall FTP-NAT is capable of handling the E* commands.

Amos
 
> On 13/09/2010 01:27, Amos Jeffries wrote:
>> On Sun, 12 Sep 2010 20:59:08 +0200, David Touzeau<david_at_touzeau.eu>
>> wrote:
>>> Dear all
>>>
>>> I'm using squid 3.1.7, when i'm browsing on ftp server like
>>>
>>> ftp://ftp.univ-tlse1.fr/
>>> ftp://ftp.redhat.com
>>>
>>> Browser give error :
>>> ******************************************************************
>>> An FTP protocol error occurred while trying to retrieve the URL:
>>> ftp://ftp.univ-tlse1.fr/
>>>
>>> Squid sent the following FTP command:
>>> NLST
>>>
>>> The server responded with:
>>> Unable to build data connection: Invalid argument
>>>
>>> ******************************************************************
>>>
>>
>> A few minutes on google indicates that you have a firewall blocking
>> incoming FTP data connections. The server is unable to send you the
>> directory listing when requested.
>>
>> Amos
>>
Received on Tue Sep 14 2010 - 01:23:08 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 14 2010 - 12:00:02 MDT