Why am I suddenly seeing a delay in connecting to certain FTP servers after enabling the XP SP2 firewall?

If you upgraded to Windows XP SP2 and have enabled the XP SP2 firewall, you may be seeing a delay when establishing an FTP connection with AbsoluteFTP® or SecureFX®. This lag may occur when connecting via FTP even when an exception in the firewall configuration is created for SecureFX/AbsoluteFTP, and regardless of the PASV/PORT setting.

This delayed response from some FTP servers will at first appear to be a hang or failed connection after establishing the control connection. You will see the following line of trace information as the last line in AbsoluteFTP's log view:

i Control connection successfully established.

Waiting for approximately 20-30 seconds will result in the connection being fully established.

Here's what's going on in the background:

When SecureFX/AbsoluteFTP makes an outgoing connection to some FTP servers (wu.ftpd is known to have this problem, for example), the FTP server tries to authenticate a user based on auth/ident service (RFC 912, 931, and 1413) by attempting to connect to the client's machine on port 113.

With the Windows XP SP2 firewall enabled, such packets are dropped and the FTP server continues to attempt auth/ident connections on port 113 until a timeout occurs. Here is a segment of the Windows firewall log that shows the outgoing connection to the FTP server by AbsoluteFTP, and the resulting incoming connection attempts from the FTP server on port 113:

192.168.0.200 = Machine running wu.ftpd server 192.168.0.100 = Machine running SecureFX/AbsoluteFTP

#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2005-02-02 11:56:32 OPEN TCP 192.168.0.100 192.168.0.200 1410 21 - - - - - - - - -
2005-02-02 11:56:32 DROP TCP 192.168.0.200 192.168.0.100 33898 113 60 S 2999014174 0 5840 - - - RECEIVE
2005-02-02 11:56:35 DROP TCP 192.168.0.200 192.168.0.100 33898 113 60 S 2999014174 0 5840 - - - RECEIVE
2005-02-02 11:56:41 DROP TCP 192.168.0.200 192.168.0.100 33898 113 60 S 2999014174 0 5840 - - - RECEIVE

Once the ident/auth timeout occurs on the FTP server side, the FTP server will move on to normal authentication via USER and PASS.

To resolve this time lag issue, create a port exception in the Windows firewall for port 113. Since there isn't anything listening on port 113 on the XP machine, the port exception will cause the FTP server to receive a "Connection Refused" error when the auth/ident connection attempt is made to port 113. Once the FTP server receives this error, the server will switch to normal USER and PASS authentication, significantly reducing the lag time before connection.