Cerberus FTP Server FAQ
TOC Up to Table of Contents
Back Backward to General Questions Forward to Table Of Contents Forward

6. Troubleshooting

Q1: Why does issuing the LIST command result in an error message?

There are several possible explanations to this problem. Your network may be running a firewall or your computer may be behind a router. See the section on I am connected to the internet through a router. How should I configure my router to allow FTP traffic? for more information.

If you are using a router with Cable or DSL to connect your home computer to the internet, you may need to enable Port Forwarding. Consult your router documentation on how to enable Port forwarding for FTP.

Finally, if you can, instruct your clients to connect using passive FTP mode (initiated by the client using the PASV command). Active FTP (intiated by the client with the PORT command), tends to cause problems with older hardware routers and software firewalls.

Q2: I'm running Cerberus FTP Server as a service and it can't access mapped network drives. Why?

Mapped drives are stored on a per-user basis. The default configuration for a service logs it in as the LocalSystem account, so it cannot access the mapped drives you make when you log in using your own account. You can manually change your service's account by viewing its properties in the Services Control Panel applet (NT 4) or the Services branch in Computer Management (Windows 2000/XP, Start->Programs->Administrative Tools->Computer Management).

A service can map its own drives, or if you are going to use mapped network drives, you can specify the UNC name for the directory.

Q3: I've correctly configured passive FTP but passive data connections still fail. What else could be wrong?

Many of the newer, "smarter" routers attempt to detect passive FTP traffic and automatically modify the FTP commands to work correctly with the router. One way to diagnose this issue is to monitor the log file from Cerberus and the FTP client as a passive connection is attempted. The log file excerpts below are from a connection attempt from a Filezilla FTP client to Cerberus FTP Server. The client is located outside the local network Cerberus FTP Server is installed on.

 

Cerberus:

May 01 13:12:04 42 257 "/" is the current directory
May 01 13:12:04 42 TYPE A
May 01 13:12:04 42 200 Type ASCII
May 01 13:12:04 42 PASV
May 01 13:12:04 42 227 Entering Passive Mode (X,X,X,X, 7,255)
May 01 13:12:04 42 LIST

Filezilla:

Command: TYPE A
Response: 200 Type ASCII
Command: PASV
Response: 227 Entering Passive Mode (X,X,X,X,130,128)
Command: LIST

The indication that the router is changing the FTP command is the difference in the ports listed between the client log and the server log.

To resolve the issue, you have to change Cerberus' PASV IP to be your internal LAN IP and not the external IP you get from your Internet Service Provider (ISP).

 

Steps to resolve:

  1. Go to Configuration -> Server Manager -> Interfaces
  2. Click on the interface that matches your internal IP
  3. In the PASV Options section click the "Use different IP for PASV command" radio button and in the textbox that appears put in the same IP as the interface (your local IP address).
  4. Click the "Ok" button

Q4: Why can I not access the GUI when Cerberus FTP Server is running as a service?

NOTE: This problem is no longer an issue with Cerberus FTP Server 3.1 or higher. The latest version of Cerberus FTP Server can now be accessed when running as a service. Only versions prior to 3.1 have the following limitations:

There are two possible problems, both relating to running Cerberus as a service. On Windows Vista and higher operating systems, you cannot access the Cerberus FTP Server GUI while running as a service when running versions of Cerberus prior to 3.1. You must first stop the service and start Cerberus as a normal application.

On Windows 2003 and earlier operating systems, this limitation is only present when running Cerberus as a terminal server session. When Cerberus is running as a Windows service, access to the FTP server window through a terminal server session is not possible. The reason for that conflict is because the Cerberus service always has to be running on the desktop of the console session. When connecting through terminal services, Windows creates a new self-contained desktop for the terminal server session, so the FTP server window cannot be accessed from that desktop.

 

You can solve this with one of the following solutions:

  • Upgrade to Cerberus FTP Server 3.1 or higher
  • Access the FTP server directly on the console screen rather than using a terminal server session to access the FTP server.
  • Use a different remote access software (i.e. PCAnywhere or PCDuo) instead of a terminal server session to access the FTP server.
  • Stop the FTP server service and start the FTP server in application mode by double-clicking the Cerberus FTP server icon on the desktop. That way you can also access the FTP server through a terminal server session. It is recommended to start the FTP server as a service again before you leave your terminal server session.
  • Connect to the console session:

    To connect to the console session, administrators can choose one of the following methods:

    • NOTE: This is no longer valid on Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Server 2008.
    • Use the Remote Desktop Microsoft Management Console (MMC) snap-in.
    • Run the Remote Desktop Connection (mstsc.exe) program with the /console switch (or the /admin switch on some later versions of Windows).
    • Create Remote Desktop Web Connection pages that set the ConnectToServerConsole property.

Q5: TLS/SSL FTP sessions are not working through my firewall.

The short answer is that FTPS and firewalls (and devices performing NAT) do not always interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established.

 

In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using passive mode), FTPS should function without issue.

 

To configure for passive FTP (the preferred method), see Q2: My IP address begins with 192.168.xxx.xxx. Is there anything special I have to do for people to see my FTP Server on the Internet?

Q6: I cannot use a remote share as an NT home directory when authenticating a user against a domain.

NOTE: This no longer applies to Cerberus FTP Server 3.1.0.3. The latest version of Cerberus FTP Server can now access virtual directories mapped to remote shares for domain users.

The following comments apply only for users using domain authentication to login to the FTP server.

The login method used to authenticate a user against the domain does not allow access to network shares. The technical reason is that the token granted through the logon method Cerberus is using is a network logon for the user with no network credentials. You can use the resulting token on the local machine, but can't impersonate a user using this token in order to authenticate with remote servers. When Cerberus tries, it ends up establishing a null session (how Windows represents an anonymous user) with the remote server instead.

There are two options to resolve the problem:

  • Upgrade to Cerberus FTP Server 3.1.0.3, - or -
  • Make the share anonymous.

Q7: Error message when you use an FTP client to download a large file from an FTP server.

See the Microsoft kb article 931130 about running with the "Routing and Remote Access" or the "Application Layer Gateway" service enabled. http://support.microsoft.com/kb/931130.

Q8: How do I convert over the old 2.X user to the new 4.0 version?

Normally, users are upgraded automatically from 2.X to version 3.0 or 4.0 when installing the latest version. However, in some instances the users file is not upgraded and a manual upgrade is necessary. To manually convert over the old users file:

  1. Locate the Cerberus FTP Server 2.X "users.pro" file, usually in C:\Program Files\Cerberus
  2. Shutdown Cerberus FTP Server 4.0
  3. Place the old "user.pro" file in the new Cerberus FTP Server 4.0 installation folder. Usually C:\Program Files\Cerberus LLC\Cerberus FTP Server
  4. Delete the existing "users.xml" file so that it knows to convert over the old 2.X file. On Windows XP, the Cerberus FTP Server 4.0 "users.xml" file is in C:\Documents and Settings\All Users\Application Data\Cerberus LLC\Cerberus FTP Server\users.xml
    or
    C:\ProgramData\Cerberus LLC\Cerberus FTP Server\user.xml on Windows Vista and higher
  5. Restart Cerberus FTP Server 4.0

Q9: Why are directory and file names incorrect when I view them through my FTP client?

You are probably using an FTP client that is neither RFC959 (the FTP standard) nor RFC2640 (International FTP) compliant. Some FTP clients incorrectly assume that text information will be transferred in their native character set. The FTP specification specifically states that all text will be transferred in ASCII or, for servers supporting the newer international FTP standard, UTF-8. Clients that make the assumption that text is being transferred in their native character set will see incorrect letters for non-Latin based characters.

The recommended fix is to upgrade to an FTP client that correctly supports UTF-8 encoding. FTP clients that support UTF-8 (and most major FTP clients do) will have no trouble with any file or directory name in any language or character set.

Another option is to turn off UTF-8 encoding for the client session. A client can do this by issuing an OPTS UTF OFF command after logging in. This will cause the FTP client to send text in whatever character set is native to the computer the server is running on. This is non-standard an not recommended. Upgrading to a client that supports UTF-8 is the better option.

Q10: Why am I being prompted for a Remote Access password after installing Cerbeurs FTP Server 4.0?

The remote access settings control HTTP and HTTPS web and SOAP access to Cerberus FTP Server. When Cerberus is running as a Windows Service, the GUI connects to and communicates with the Cerberus Windows Service through a remote access API called SOAP. The Cerberus Windows Service listens for SOAP connections on the Port specified under the Remote Settings page. That port must be available for Cerberus to listen on or the GUI will be unable to connect to the local Windows Service.

Most users will never see the Remote Access connection dialog because it is only shown when the Cerberus GUI can't connect to the underlying Windows Service. This usually happens because the GUI and Windows Service passwords are out of sync (or one had never been set). Normally, when you install Cerberus FTP Server as a Windows Service from within the Cerberus FTP Server application you are prompted to set a password. With the new 4.0 installer there is now an option to install Cerberus FTP Server as a Windows Service right from the Installer and there can be problems if you are upgrading from an older installation and have never set a SOAP access password. This potential problem can only happen when upgrading from 3.x, never for a new installation.

If a remote access password had never been set (IE, this is an upgrade and you've selected "Install as Windows Service" but have never had Cerberus installed as a Windows Service before) then the GUI may not be able to connect to the service. The solution is to temporarily shutdown the Windows Service, start Cerberus in application mode and then set a remote access password so that the GUI and Windows Service can communicate. Here are the steps:

  1. Open up the Service Control Manager and stop the Cerberus FTP Server Service. You will see "Cerberus FTP Server" listed in the services list. You can access the Service Control Manager by going into the Control Panel, selecting Administrative Tools, and then Services. Once the Service Control Manager is open, right-click on the "Cerberus FTP Server" service and select "Stop".
  2. You can now start Cerberus in application mode by clicking on the Cerberus FTP Server icon on the desktop or through the Program Manager. It should startup in application mode without any prompts for passwords.
  3. Open the Server Manager and select the "Remote" page. There is a button to set an Admin password. Set it to anything you like and click Ok to close the Server Manager.
  4. You can now Shutdown and Exit from the server from the File menu. This will shutdown Cerberus FTP Server and close the program.
  5. Restart the Cerberus FTP Server service from the Service Control Panel. Right-click on the service and select "Start".

You should now be able to start and connect to Cerberus FTP Server normally by clicking on the Desktop application icon.

TOC Up to Table of Contents
Back Backward to General Questions Forward to Table Of Contents Forward
| Privacy Policy | Public Forums Disclaimer | Contact Us | ©2010 Cerberus, LLC