Microsoft KB Archive/900902

= After you use the Ftp.exe close command or the Ftp.exe quit command, the response 221 does not appear =

Article ID: 900902

Article Last Modified on 7/13/2005

-

APPLIES TO

 Microsoft Windows XP Service Pack 2, when used with:  Microsoft Windows XP Professional

 Microsoft Windows XP Media Center Edition 2002

 Microsoft Windows XP Home Edition

 Microsoft Windows XP Tablet PC Edition</li></ul> </li></ul>

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
Consider the following scenario. The following conditions are true:
 * You are using a Microsoft Windows XP Service Pack 2 (SP2)-based computer.
 * You turn on the Windows Firewall on the Windows XP SP2-based computer.
 * You use the Windows File Transfer Protocol (FTP) utility (Ftp.exe).
 * You use the Ftp.exe close command or the Ftp.exe quit command.

After you use the Ftp.exe close command or the Ftp.exe quit command, the response 221 does not appear.

<div class="cause_section">

CAUSE
This issue occurs because of a race condition in the FTP Application Layer Gateway (ALG). When the ALG sends the RST command to the client before the response 221 is processed, the response 221 does not appear on the client computer.

<div class="moreinformation_section">

MORE INFORMATION
The FTP ALG proxies the FTP control channel. During an FTP session, the following two connections exist:
 * Connection A: A connection from the FTP client to the ALG service.
 * Connection B: A connection from the ALG to the FTP server.

All commands over the control channel pass through the ALG proxy.

When the FTP client or the FTP server tries to close the control channel, the ALG responds by resetting both connections. When the client sends the quit command or the close command, the FTP server is expected to close the control channel if a file transfer is not currently in progress. However, the server is not required to obtain any kind of acknowledgement of the response 221 before the server tries to close the control channel.

Depending on how quickly the code proxies the 221 data from connection B to connection A, compared to how quickly the code that resets the connections performs, you could end up in a state where the RST is sent from the ALG to the client for ending connection A before the response 221 is processed. Therefore, the response 221 does not appear on the client computer.

Windows Firewall does not log the 221 packet as dropped because it was actually allowed in through the firewall as part of the control channel (connection B). ALG successfully receives this packet immediately before both control channels are closed.

Keywords: kbtshoot kbprb KB900902

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.