1

We have a scheduled task that transfers a large file (~130 MB) between two Windows servers using the Windows command-line FTP program. It's painfully slow (taking about 30 minutes) and occasionally terminates before the transfer has completed. The servers are 2003 (sending) and 2008 (receiving).

If I transfer the file manually, using FileZilla's GUI, it runs considerably faster and is done in a couple of minutes. I can't use this approach though, because we want this to run automatically and FileZilla can't be scripted.

I've also noticed, when I disable the Windows 2003 Firewall, command line FTP is suddenly much faster, and reaches the same speed as FileZilla.

So, it seems I have a workaround in disabling/enabling the firewall before and after the transfer. But after Googling extensively, this doesn't seem to be a common problem, and I get the feeling something is configured wrongly somewhere.

Can anyone shed any light on why disabling the firewall improves the speed so dramatically? And why FileZilla is faster than command-line FTP (when the Firewall is enabled)?

Troy
  • 11
  • 1
  • 1
  • 2

3 Answers3

1

ICMP is an Internet host requirement. Sometimes admins block all ICMP because they "heard somewhere it was a security risk". But ICMP is not optional and TCP relies on it. (At a minimum, 'fragmentation required' must be permitted.)

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • Can you explain the link between ICMP and FTP speed? And why FileZilla is not affected? – Troy Jan 25 '12 at 04:23
  • 1
    Without ICMP, the FTP packets may get fragmented, which results in greater packet loss and reduced network utilization efficiency. (See my [link](http://www.znep.com/~marcs/mtu/).) – David Schwartz Jan 25 '12 at 04:24
  • Tried allowing all ICMP but it didn't change anything. Must be something else. – Troy Jan 26 '12 at 21:18
  • It's not unusual for more than one thing to be wrong. Trust me, it's much better to fix things *before* they cause breakage than after. What else is the firewall blocking? – David Schwartz Jan 26 '12 at 21:28
  • icmp is not relevant for an ftp issue... – Jonesome Reinstate Monica May 20 '12 at 18:40
  • Further, it is completely OK and normal to disable icmp at the firewall level. This does break ping, but other normal protocols (ftp, http, etc) will all work fine. Breaking ping is often desirable (because ping is an attack vector). – Jonesome Reinstate Monica May 20 '12 at 18:51
  • 1
    samsmith, this is a common misconception. Blocking ping is acceptable, but not ICMP as a whole. See [Why not block ICMP?](http://serverfault.com/questions/84963/why-not-block-icmp) –  May 20 '12 at 19:54
  • @ChrisKuehl It is really common and accepted to block icmp in hardware firewalls. I must have seen this on dozens of devices, configured by all kinds of networking pros. I accept that there may be some possible issues as a result, but they appear to be really marginal. – Jonesome Reinstate Monica May 21 '12 at 02:42
  • @samsmith: For the majority of typical firewalled networks, blocking ICMP fragmentation needed datagrams is evidence of incompetence. I have never heard anyone who has a clue recommend blocking them routinely. If you have any citations to the contrary, please share them so we know which "experts" to avoid. – David Schwartz May 21 '12 at 03:21
  • @DavidSchwartz I need to check our firewall at rackspace. I believe it is blocked there (but I really need to look at the config to be sure, because we have a really big config). – Jonesome Reinstate Monica May 21 '12 at 13:40
1
  1. you need to know what is blocking first. Download Process Monitor from Sysinternals (Microsoft).

  2. In that program, select only "show network activities" (a button on the bar on the upper left)

  3. check the packets and find the FTP ones.

    server1.domain.com:12345 -> server2.domain.com:21

  4. righ click on the name of the process and select include to add the process that is running the ftp.

  5. test the ftp tranfer with the firewall and without it.

  6. compare both data. it should be a port blocked by the firewall. you should open that port between both PCs.

Edward
  • 11
  • 1
0

The problem is that the command line FTP uses active mode FTP.

Filezilla automatically switches to passive mode ftp, which is much more firewall friendly.

Command line FTP only supports active, so you are stuck there.

Use an alternate utilty for ftp that supports passive mode from a command line (there are cmd line options for filezilla that may meet your needs).