Copying files to an FTP server on AWC EC2 Windows server fails with "Unable to build data connection: The connection waiting time has expired"

Question

We switched to to the AWS cloud with our local build machine. Now there is a batch file, which should upload a file via ftp. This worked fine locally, but not over the EC2 AWS machine.

C:\Programme\WinRAR\winrar a -afzip -IBCK -ep "Tool_%date:~-2%%date:~-7,2%%date:~-10,2%.zip" master
@echo Upload...
@echo open URL>ftp.txt
@echo USERNAME>>ftp.txt
@echo PASSWORD>>ftp.txt
@echo binary>>ftp.txt
@echo put TOOL_%date:~-2%%date:~-7,2%%date:~-10,2%.zip "/downloads/Tool%.zip">>ftp.txt
@echo quit>>ftp.txt
ftp -s:ftp.txt >out.txt

That does not work... I opened in the security groups settings: Inbound and Outbound ports 20-21, 1024-1048. It uploads the zip archive with 0 bytes.

The log file says:

ftp> open URL
Connection to URL was established.
220 FTP on server ready
200 UTF8 set to on
User (URL: (noone)):
331 Password required for USERNAME

230 user USERNAMElogged in
ftp> binary
200 type set to I
ftp> put Tool_180418.zip "/downloads/Tool_180418.zip"
200 PORT command successful
425 Unable to build data connection: The connection waiting time has expired
ftp> quit
221 goodbye.

Martin Prikryl · Accepted Answer · 2018-04-19T05:51:00.510

2

Windows command-line ftp client supports FTP active mode only. To be able to use it, you have to open ports on your local Windows firewall. (And maybe outbound ports on the AWS instance.)

See my article on network configuration for FTP active and passive connection modes.

You better use another FTP client that supports an FTP passive mode, for which you seem to have everything set up correctly already.

For example, with WinSCP scripting, you can use a batch file like:

winscp.com /log=upload.log /command ^
    "open ftp://username:password@ftp.example.com/" ^
    "put TOOL_%%TIMESTAMP#ddmmyy%%.zip /downloads/*" ^
    "exit"

There's even a guide for converting Windows ftp.exe script to WinSCP script.

WinSCP has also a built-in %TIMESTAMP% syntax, what the example above takes advantage of. It is more reliable than %date% and easier to use.

(I'm the author of WinSCP)

edited Apr 19 '18 at 05:51

answered Apr 18 '18 at 18:43

Martin Prikryl

188,800
56
490
992

Thanks! Works fine :) which inbound /outbound ports can i close now? – Hendouz Apr 23 '18 at 08:46
1

i installed WinSCP and i am using the passiv transfer mode – Hendouz Apr 23 '18 at 09:39
1

With passive mode, you do not need any outgoing ports. – Martin Prikryl Apr 23 '18 at 09:41

score 0 · Answer 2 · answered Apr 18 '18 at 14:51

0

Unless you have specifically configured your FTP server to use the range 1024-1048 for file transfer, it will most likely be attempting to use ports in the range 1024-65535.

You need to either configure your FTP server so that it permits connections only in the permitted 24 port range, or else open your security group to the entire range.

Edit: have you seen this very useful answer ?

answered Apr 18 '18 at 14:51

mcfinnigan

11,442
35
28

yea i i've seen this. because of that i opened ports 20-21 and 1024-1048... – Hendouz Apr 18 '18 at 14:59
Did you restart the FTP server after reconfiguring it? Have you verified that you can telnet to ports between 1024 and 1048 when logged onto the ec2 instance? – mcfinnigan Apr 18 '18 at 15:01
opening inbound ports 1024-65535 didnt help. Still 0byte upload...`netstat -na | find "1024` did not work. Do i have to restart the ec2 machine after i opened the ports? – Hendouz Apr 18 '18 at 15:07

Copying files to an FTP server on AWC EC2 Windows server fails with "Unable to build data connection: The connection waiting time has expired"

2 Answers2