ftp problem - very slow response

8 posts / 0 new
Last post
#1 Tue, 11/21/2006 - 13:20
RichardBrignall

ftp problem - very slow response

In have a new VM installation with at the moment just one virtual server. If I try to use ftp (running proftpd on server) it takes between 30 and 40 seconds to respond to any command.

The log on sequence runs correctly as:

ftp> open ftp.iimco.co.uk Connected to ftp.iimco.co.uk. 220 FTP Server ready. 500 AUTH not understood 500 AUTH not understood KERBEROS_V4 rejected as an authentication type Name (ftp.iimco.co.uk:root): iimco.co 331 Password required for iimco.co. Password: 230 User iimco.co logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls

227 Entering Passive Mode (88,208,217,128,215,196).

Then either the client times out or eventually, after 30 to 45 seconds, produces the list.

The delay causes most GUI ftp clients to timeout but using Konqueror on KDE/FC4 does work.

Similarly if I do a file upload of multiple files there is a long delay between each file. It is not caused on the client PC because I can use exactly the same process with a different proftpd server which does not delay.

Does anyone have a suggestion as to the reason? pleeease Richard

Tue, 11/21/2006 - 13:43
Joe
Joe's picture

Hey Richard,

This is almost certainly a DNS issue on the server. To test, first find out your client IP address.

There are many websites out there that can tell you your public IP. I usually use http://checkip.dyndns.org

Next, login to the server, and perform a lookup on that address:

host 192.168.1.1

(Replace the 192.168.1.1 with the address of your client system.)

If this query times out or fails, then we've found your problem and it can be fixed by configuring the DNS client on the server to use working DNS servers.

If it responds quickly and accurately, then the problem is something else, and we'll need to look in the /var/log/messages, /var/log/secure, and /var/log/proftpd/* logs to see if there are any additional clues.

But, this kind of "slow" issue is at least 90% of the time caused by DNS resolution problems.

--

Check out the forum guidelines!

Mon, 08/27/2007 - 07:04 (Reply to #2)
sales@mytechdir...

Are there any plans to make a pureFTP install script? Before using VM, I have had pure running without issue in the past and when I was running Server 2K3 I ran a couple of different Windows based ftp servers all without issue.

Wed, 08/22/2007 - 21:24 (Reply to #3)
sales@mytechdir...

Sorry to knock the dust off this topic, but I am having the same problem. Since we cannot PM others on this board, (hoping OP is still around,) did you ever get this resolved?

Anyone else have any suggestions?

Thu, 08/23/2007 - 01:41 (Reply to #4)
Joe
Joe's picture

DNS (forward and reverse both to and from the server to the client) and firewalls are the only thing I can think of that would cause sluggishness in ProFTPd. Have you confirmed that both of those are right? (FTP wants lots of ports--not just 21...you'll probably want to test without the firewall on at all, just to be sure you've got it right.)

--

Check out the forum guidelines!

Mon, 08/27/2007 - 07:24 (Reply to #5)
sales@mytechdir...

I have enabled FTP under "Extended Internet Services" and now the FTP is blazing fast, but it is disconnecting during transfers after about 5 - 10 seconds. If I idle on FTP, it stays connected.

I am now also geting

"500 POPORT not understood" on a phpbb forum folder.

Thank you.

Wed, 11/22/2006 - 04:11
RichardBrignall

Hi Joe,
Thank you for the quick response - unfortunately we are in differnet time zones so this could be a protracted conversation.

I tried as you suggested using host xxx.xxx.xxx.xxx for both my office connection and my home connection. Both have static IPs and in both cases host xxx.xxx.xxx.xxx "instantly" produced the correct host names e.g.
=====
[[root@ns1 log]]# host 217.37.92.50
50.92.37.217.in-addr.arpa domain name pointer host217-37-92-50.in-addr.btopenworld.com.
[[root@ns1 log]]#
=====

So - moving on I have taken a copy of the console on my client PC (using ftp) and a copy of logs "secure" and "messages" on the server. They are shown below

=====
Console input/output
--------------------
[[richard@athena ~]]$ ftp ftp.iimco.co.uk
Connected to ftp.iimco.co.uk.
220 FTP Server ready.
500 AUTH not understood
500 AUTH not understood
KERBEROS_V4 rejected as an authentication type
Name (ftp.iimco.co.uk:richard): iimco.co
331 Password required for iimco.co.
Password:
230 User iimco.co logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (88,208,217,128,198,57).
ftp: connect: Connection timed out
ftp> close
221 Goodbye.
ftp>

Log /var/log/secure
-------------------
Nov 22 09:36:58 ns1 proftpd: Deprecated pam_stack module called from service "proftpd"
Nov 22 09:36:58 ns1 last message repeated 2 times
Nov 22 09:36:58 ns1 proftpd: pam_unix(proftpd:session): session opened for user iimco.co by (uid=0)
Nov 22 09:36:58 ns1 proftpd: Deprecated pam_stack module called from service "proftpd"
Nov 22 09:36:58 ns1 proftpd[[15306]]: ns1.iimco.net (217.37.92.50[[217.37.92.50]]) - USER iimco.co: Login successful.
Nov 22 09:36:58 ns1 proftpd[[15306]]: ns1.iimco.net (217.37.92.50[[217.37.92.50]]) - Preparing to chroot to directory '/home/iimco.co'
Nov 22 09:36:58 ns1 proftpd[[15306]]: ns1.iimco.net (217.37.92.50[[217.37.92.50]]) - mod_delay/0.5: delaying for 470 usecs
Nov 22 09:40:02 ns1 su: pam_unix(su:session): session opened for user postgres by (uid=0)
Nov 22 09:40:02 ns1 su: pam_unix(su:session): session closed for user postgres
Nov 22 09:41:17 ns1 proftpd: Deprecated pam_stack module called from service "proftpd"
Nov 22 09:41:17 ns1 proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
Nov 22 09:41:17 ns1 proftpd[[15306]]: ns1.iimco.net (217.37.92.50[[217.37.92.50]]) - PAM(setcred): System error
Nov 22 09:41:17 ns1 proftpd: Deprecated pam_stack module called from service "proftpd"
Nov 22 09:41:17 ns1 proftpd: pam_unix(proftpd:session): session closed for user iimco.co
Nov 22 09:41:17 ns1 proftpd[[15306]]: ns1.iimco.net (217.37.92.50[[217.37.92.50]]) - PAM(close_session): System error
Nov 22 09:41:17 ns1 proftpd[[15306]]: ns1.iimco.net (217.37.92.50[[217.37.92.50]]) - FTP session closed.

Log /var/log/messages
---------------------

Nov 22 09:36:45 ns1 proftpd[[15306]]: ns1.iimco.net (217.37.92.50[[217.37.92.50]]) - FTP session opened.

There is no log in dir "/var/log/proftpd"
=====
The server log entry after which I get no further response on the client is:
Nov 22 09:36:58 ns1 proftpd[[15306]]: ns1.iimco.net (217.37.92.50[[217.37.92.50]]) - mod_delay/0.5: delaying for 470 usecs
The remaining entries are associated with closing the ftp connection.

I don't know if this helps - I see similar log entries on a diffent ftp server which works.

Richard

Thu, 11/23/2006 - 05:32
RichardBrignall

Done a bit more work on this.

It works OK if the client is set for Passive mode OFF even though we are behind a firewall.
Scouring the proftpd forums and google suggests that the firewall rule on the server must include lines:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

which from my limited understanding of passive mode ftp permits the server to negotiate ports to use for data transfer with the client. I have both of those lines in iptables on the server.

I know that the firewall behind which the client exists does allow passive transfer from both windows and linux clients - have used it for years.

It also seems that for proftpd to operate in passive mode it needs the following lines in its config file

DefaultAddress w.x.y.z
PassivePorts p1 p2
where w.x.y.z is the ip of the server and p1 ps are a range of port numbers that proftpd should use for passive connections.

But - having made those changes I still do not get it to work in passive mode even after trying to restart proftpd from the vertualmin | System information tab | Restart Proftpd button.

There is also a suggestion that I need to include a firewall rule (on the server) like
-A INPUT -d w.x.y.z -p tcp --dport p1:p2 -j ACCEPT
but I do not understand why. I'd have thought that the other rules would have allowed a connection.

I also note that the Stop proftpd button does not stop proftpd, so maybe the restart button is not actually working.

Any ideas for getting a stage further?