After you use the Ftp.exe close command or the Ftp.exe quit command, the response 221 does not appear (900902)


The information in this article applies to:

  • Microsoft Windows XP Service Pack 2, when used with:
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Media Center Edition
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Tablet PC Edition

SYMPTOMS

Consider the following scenario. The following conditions are true:
  • You are using a Microsoft Windows XP Service Pack 2 (SP2)-based computer.
  • You turn on the Windows Firewall on the Windows XP SP2-based computer.
  • You use the Windows File Transfer Protocol (FTP) utility (Ftp.exe).
  • You use the Ftp.exe close command or the Ftp.exe quit command.
After you use the Ftp.exe close command or the Ftp.exe quit command, the response 221 does not appear.

CAUSE

This issue occurs because of a race condition in the FTP Application Layer Gateway (ALG). When the ALG sends the RST command to the client before the response 221 is processed, the response 221 does not appear on the client computer.

MORE INFORMATION

The FTP ALG proxies the FTP control channel. During an FTP session, the following two connections exist:
  • Connection A: A connection from the FTP client to the ALG service.
  • Connection B: A connection from the ALG to the FTP server.
All commands over the control channel pass through the ALG proxy.

When the FTP client or the FTP server tries to close the control channel, the ALG responds by resetting both connections. When the client sends the quit command or the close command, the FTP server is expected to close the control channel if a file transfer is not currently in progress. However, the server is not required to obtain any kind of acknowledgement of the response 221 before the server tries to close the control channel.

Depending on how quickly the code proxies the 221 data from connection B to connection A, compared to how quickly the code that resets the connections performs, you could end up in a state where the RST is sent from the ALG to the client for ending connection A before the response 221 is processed. Therefore, the response 221 does not appear on the client computer.

Windows Firewall does not log the 221 packet as dropped because it was actually allowed in through the firewall as part of the control channel (connection B). ALG successfully receives this packet immediately before both control channels are closed.
Modification Type:MajorLast Reviewed:7/13/2005
Keywords:kbtshoot kbprb KB900902 kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.