This document (000020678) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 SP5
Situation
After upgrading vsftpd to version 3.0.5-48.3.1, many FTP clients increasingly report the following error, typically at the end of a file upload from a client.
426 Failure reading network stream.
Some attempts work, some do not. It happens with a variety of clients.
Resolution
Set this parameter in /etc/vsftpd.conf:
strict_ssl_read_eof=NO
Cause
According to the vsftpd.log during these events, this condition also existed at the time of the error:
"DATA connection terminated without SSL shutdown"
This means that the client tried to terminate a TCP connection which was using SSL, but did not send an SSL_SHUTDOWN first. This is improper SSL behavior from the client side and is very common..
When this happens, if vsftpd is being strict about ssl behavior (controlled by configuration parameter «strict_ssl_read_eof‘»), it will return the 426 error to the client.
Additional Information
According to the man page for vsftpd.conf, this should be disabled per default:
strict_ssl_read_eof
If enabled, SSL data uploads are required to terminate via SSL,
not an EOF on the socket. This option is required to be sure
that an attacker did not terminate an upload prematurely with a
faked TCP FIN. Unfortunately, it is not enabled by default
because so few clients get it right. (New in v2.0.7).
Default: NO
However, in the code it’s enabled by default:
tunables.c:225: tunable_strict_ssl_read_eof = 1;
The man page needs to be updated to show the correct default. This has already been updated upstream by the Linux community, but that update has not yet reached the vsftpd package in SLES 12 SP5.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented «AS IS» WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020678
- Creation Date:
23-Jun-2022 - Modified Date:23-Jun-2022
-
- SUSE Linux Enterprise Server
< Back to Support Search
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
FTP server return codes always have three digits, and each digit has a special meaning.[1] The first digit denotes whether the response is good, bad or incomplete:
1xx
The requested action is being initiated; expect another reply before proceeding with a new command. (The user-process sending another command before the completion reply would be in violation of protocol; but server-FTP processes should queue any commands that arrive while a preceding command is in progress.) This type of reply can be used to indicate that the command was accepted and the user-process may now pay attention to the data connections, for implementations where simultaneous monitoring is difficult. The server-FTP process may send at most, one 1xx reply per command.
2xx
The requested action has been successfully completed. A new request may be initiated.
3xx
The command has been accepted, but the requested action is being held in abeyance, pending receipt of further information. The user should send another command specifying this information. This reply is used in command sequence groups.
4xx
The command was not accepted and the requested action did not take place, but the error condition is temporary and the action may be requested again. The user should return to the beginning of the command sequence, if any. It is difficult to assign a meaning to «transient», particularly when two distinct sites (Server- and User-processes) have to agree on the interpretation. Each reply in the 4xx category might have a slightly different time value, but the intent is that the user-process is encouraged to try again. A rule of thumb in determining if a reply fits into the 4xx or the 5xx (Permanent Negative) category is that replies are 4xx if the commands can be repeated without any change in command form or in properties of the User or Server (e.g., the command is spelled the same with the same arguments used; the user does not change his file access or user name; the server does not put up a new implementation.)
5xx
The command was not accepted and the requested action did not take place. The User-process is discouraged from repeating the exact request (in the same sequence). Even some «permanent» error conditions can be corrected, so the human user may want to direct his User-process to reinitiate the command sequence by direct action at some point in the future (e.g., after the spelling has been changed, or the user has altered his directory status.)
6xx
RFC 2228 introduced the concept of protected replies to increase security over FTP communications. The 6xx replies are Base64 encoded protected messages that serves as responses to secure commands. When properly decoded, these replies fall into the above categories.
Below is a list of all known return codes that may be issued by an FTP server.
100 Series
110
MARK yyyy = mmmm where yyyy is User-process data stream marker, and mmmm server’s equivalent marker (note the spaces between markers and «=»).
120
125
150
200 Series
202
211
212
213
214
215
220
221
225
226
227
228
229
230
232
234
235
250
257
300 Series
331
332
334
335
336
350
400 Series
421
425
426
430
431
434
450
451
452
500 Series
501
502
503
504
530
532
533
534
535
536
537
550
551
552
553
600 Series
631
632
633
10000 Series
10054
10060
10061
10065
10066
10068
T
На сайте с 19.10.2008
Offline
32
tigga
3182
Добрый день!
ФТП клиенты(разные) на различных хостингах после некоторого времени работы начинают выдавать 426 ошибку. Из-за этого не получается сохранить (и пересохранить) файлы. Понял, что проблема на стороне клиента, т.е. на моей — но как побороть, кроме как ребутнуться, так и не могу разобраться:(
Если кто-то знает, как решить — помогите пожалуйста!
Сбылись мечты народные: МИР-ТРУД-МАЙ
- Помощь в фильтрации ботов через CloudFlare
- Резкий спад трафика на сайте
- Помогите разобраться как фиксить количество процессов web-сервера
[Удален]
#1
Режим Passive Mode в FTP клиенте включен?
На сайте с 11.06.2008
Offline
69
naleks
#2
426 — Канал закрыт, обмен прерван
А порыться нельзя?
Скорее всего, проблема у тебя в файрволлинге. или же, если ты пользуешь nat для выхода инет, то тебе просто необходимо указать клиенту использовать passive mode (pasv);)
Having an issue with ftp_put, ‘ftp_put’ returns false and files are only transferred incompletely. The error returned is 426 Failure reading network stream. Restart of the server is fixing the issue for 2 or 3 days. Also When changing the destination folder to another server all files are uploaded without any problem.
With another server, I am able to transfer the same file to same destination. Had the issue with this server too, a restart of this server fixed the error(temporarily). So now the issue is with the other server.
Any possible chances for resource locks which automatically fixed while restarting the server. What are the main logs to check for this issue? Also where should I check to know if some resource locking happens? Or something else…
Destination server is using vsftpd and the source is having proftpd sever. Is there any changes needed in the configuration source or detination servers? What could be the reason for failure of these file uploads until restart of the source server and 426 network streaming error?
Thanks in advance for the help.
Problem
This document describes a potential cause of an FTP reply code of 426 being sent by the FTP server
possibly referencing message CPE3101.
Resolving The Problem
An FTP 426 reply code will be issued by the FTP server on the IBM® System i® products if the file
receiving the data from the PUT or MPUT command is too small to receive all of the data. You will see a
message on your client within your FTP sessions similar to one of the two following messages:
426 — Unable to close file CPE3101.
or
426 — Cannot write to member xxxxxx in file yyyyyy in library zzzzzzz.
For all file types, do the following:
1) Increase the size of the file on the server system.
2) Verify the user profile that creates or sends the file has the Maximum Storage parameter set to a large
enough value.
3) Reduce the size of the file that is being sent to the server system.
4) If the file is a flat file, ensure the file is not already created on the target system.
If the file is a save file, do the following:
1) Re-create the target save file.
2) This message also indicates that records are out of order in the save file. This often happens if the
save file was transferred to a system that is not a System i. In this case, the save file must be
re-created or retransferred from the source.
3) Examine the Maximum Storage Allowed parameter of the user profile that owns the save file on the
target system. This storage determines how big the file can be, and it will cause this error.
[{«Product»:{«code»:»SWG60″,»label»:»IBM i»},»Business Unit»:{«code»:»BU058″,»label»:»IBM Infrastructure w\/TPS»},»Component»:»Communications-TCP»,»Platform»:[{«code»:»PF012″,»label»:»IBM i»}],»Version»:»Version Independent»,»Edition»:»»,»Line of Business»:{«code»:»LOB57″,»label»:»Power»}}]
Historical Number
439756764