In a recent case, I was asked to help with an FTP error 550 when the FTP client tried to list the files in the FTP site. The user logged on without error but could not see ant files or folders. There was a firewall but the FTP ports being used were open.
So I asked for the FTP logs to find the reason logged. In the FTP logs, we saw 550 1236 38 (status, win32Status, sub status). We know 550 is no such file or directory, I looked up the win32staus 1236 and it is “The network connection was aborted by the local system.” I was not familiar with the FTP sub status, so I opened article 969061, The FTP status codes in IIS 7.0 and later versions to find sub status 38. this is listed: 38 - Client IP on the control channel didn't match the client IP on the data channel.
Went back to the FTP log and noticed client IP changing once PASV command is run... .7 to .8 and therefore the error.
2020-07-10 21:37:30 n.n.n.7 <User> <server IP> PASV - 227 0 0 7b461e17-7dc0-45f3-b0a5-ccaf36c708ac -
2020-07-10 21:37:30 n.n.n.8 <User> <server IP> 6003 DataChannelOpened - - 0 0 7b461e17-7dc0-45f3-b0a5-ccaf36c708ac -
2020-07-10 21:37:30 n.n.n.8 <User> <server IP> 6003 DataChannelClosed - - 1236 38 7b461e17-7dc0-45f3-b0a5-ccaf36c708ac -
2020-07-10 21:37:30 n.n.n.7 <User> <server IP> 21 LIST - 550 1236 38 7b461e17-7dc0-45f3-b0a5-ccaf36c708ac /
At this point, the firewall engineer mentioned that this was due to the firewall configuration and this behavior could not be changed so the customer ended up using a different firewall product.
This article lists all of the FTP status codes and what they mean…IIS web sites also log sub status…many times the sub status tells us exactly what is wrong without collecting any other data. There are 56 sub statuses listed near the bottom of the page.
The FTP substatus codes
This section describes the FTP substatus codes that IIS 7.0 uses:
- 0 - Successful operation.
- 1 - Authorization rules denied the access.
- 2 - File system denied the access.
- 3 - File system returned an error.
- 4 - IP restriction rules denied the access.
- 5 - Write access for the root of the virtual directory is forbidden.
- 6 - Short file name check has failed.
- 7 - Short file names are forbidden.
- 8 - Hidden segment was detected in the path based on request filtering rules.
- 9 - Denied Url sequence detected in the path based on request filtering rules.
- 10 - High bit characters detected in the path based on request filtering rules.
- 11 - File extension was denied based on request filtering rules.
- 12 - Path is too long based on request filtering rules.
- 13 - Attempt was made to open object that is not a file or directory.
- 14 - Control channel timed out.
- 15 - Data channel timed out.
- 16 - Control channel timed out based on new connection timeout.
- 17 - Invalid site configuration.
- 18 - Invalid configuration.
- 19 - Maximum connection limit was reached.
- 20 - Data channel was closed by ABOR command from client.
- 21 - Site is being stopped.
- 22 - Data channel was aborted by server due to an error.
- 23 - Data channel was aborted by client.
- 24 - SSL policy requires SSL for data channel.
- 25 - SSL policy requires SSL for control channel.
- 26 - SSL policy requires SSL for credentials.
- 27 - SSL policy denies SSL for data channel.
- 28 - SSL policy denies SSL for data channel.
- 29 - SSL policy denies SSL for credentials.
- 30 - SSL policy denies SSL for commands.
- 31 - SSL certificate was not configured.
- 32 - SSL initialization failed.
- 33 - Home directory lookup failed.
- 34 - Custom authentication call failed.
- 35 - User failed to authenticate.
- 36 - All authentication methods are disabled.
- 37 - Hostname didn't match any configured ftp site.
- 38 - Client IP on the control channel didn't match the client IP on the data channel.
- 39 - Maximum file size was exceeded. 40ActiveDirectory Isolation must be combined with basic authentication.
- 41 - An error occurred during the authentication process.
- 42 - Anonymous authentication is not allowed.
- 43 - Protection negotiation failed. PROT command with recognized parameter must precede this command.
- 44 - SSL certificate was not found.
- 45 - Private key was not found for the specified SSL certificate.
- 46 - SSL certificate hash has invalid length.
- 47 - SSL policy requires client certificate.
- 48 - User provided invalid client certificate.
- 49 - SSL policy requires matching client certificate for control and data channel.
- 50 - Data channel timed out due to not meeting the minimum bandwidth requirement.
- 51 - Command filtering rules denied the access.
- 52 - Session disconnected by administrator.
- 53 - Connection error.
- 54 - Session closed because of configuration change.
- 55 - 128-bit encryption is required for SSL connections.