FTP problems can't open listening socket

Hey there,
first of all, I’m using Duplicati for a half year now and I’m still impressed. This is so great work you all did here!

But now I have a problem, I couldn’t find a solution for. Neither on Google, nor here on the forums.
I wanted to establish a ftp-connection to my FRITZ!Box. Duplicati 2.0.2.13_canary_2017-11-22 is running on Debian 9 (stretch) without graphical interface, both fully updated.
First I began with just typing in the web-interface my IP, Path, username and password. Then I tested it and it responded with Failed to connect: Server returned an error: 530 Must use AUTH TLS.
So I turned on SSL Test. Failed to connect: The authentication or decryption has failed.
After I got this, I marked the option accept-specified-ssl-hash and entered my hash I got. All right? No!
Test - Failed to connect: Server returned an error: 425 Can’t open passive connection
I don’t know why, because in Filezilla on my other computer it’s running perfectly. I’ve also tried ftp in Debian, it’s also working.
Then if I try to force ftp-passive, it of course, tells me the same error. But if I try ftp-regular, it says Failed to connect: Couldn’t open listening socket on client.
And here’s, where I got stuck and don’t know how to get this fixed. Also I tried to accept-any-ssl-certificate and get the same error…

If anyone got a hint for me, I’d appreciate it so much!
Thank you for reading and have a great day!

Edit: Now I tried it on my Windows desktop and here it’s working with all the same parameters.
I also saw if I do on my Debian pc a service duplicati status request, I get:

duplicati.service - Duplicati web-server
Loaded: loaded (/lib/systemd/system/duplicati.service; disabled; vendor preset: enabled)
Active: inactive (dead)
The funny thing is, the webinterface is running and working.
If I start it, it says ● duplicati.service - Duplicati web-server
Loaded: loaded (/lib/systemd/system/duplicati.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2017-12-08 15:23:36 CET; 1s ago
Main PID: 1766 (Main)
Tasks: 11 (limit: 4915)
CGroup: /system.slice/duplicati.service
├─1766 DuplicatiServer /usr/lib/duplicati/Duplicati.Server.exe
└─1770 /usr/bin/mono-sgen /usr/lib/duplicati/Duplicati.Server.exe

A bunch a seconds after it, I did nothing, just wait, it turns into:

● duplicati.service - Duplicati web-server
Loaded: loaded (/lib/systemd/system/duplicati.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2017-12-08 15:24:07 CET; 15s ago
Process: 1975 ExecStart=/usr/bin/duplicati-server $DAEMON_OPTS (code=exited, status=200/CHDIR)
Main PID: 1975 (code=exited, status=200/CHDIR)

Dez 08 15:24:07 Server systemd[1]: duplicati.service: Unit entered failed state.
Dez 08 15:24:07 Server systemd[1]: duplicati.service: Failed with result ‘exit-code’.
Dez 08 15:24:07 Server systemd[1]: duplicati.service: Service hold-off time over, scheduling restart.
Dez 08 15:24:07 Server systemd[1]: Stopped Duplicati web-server.
Dez 08 15:24:07 Server systemd[1]: duplicati.service: Start request repeated too quickly.
Dez 08 15:24:07 Server systemd[1]: Failed to start Duplicati web-server.
Dez 08 15:24:07 Server systemd[1]: duplicati.service: Unit entered failed state.
Dez 08 15:24:07 Server systemd[1]: duplicati.service: Failed with result ‘exit-code’.

I don’t know if it has something to do with it, because before I tried FTP I didn’t have problems with Duplicati.
The only thing I changed, was installing ftp and ftp-ssl to try the connection just without Duplicati.

I’m confused did you try FTP, SFTP, or Duplicati from your Windows box.

Just to make sure I’m understanding correctly, are all these correct?

• you’re running Duplicati on a Windows box
• you’re trying to set a Destination via regular FTP on your FRITZ!Box based router
• this is all running on a single LAN (so you’re not dealing with Internet port issues yet)

Thank you for your answer.

• Yes, I installed Duplicati on my Windows desktop and tried, if it works here and it works with all the same parameters.

• FTPS is activated on my FRITZ!Box router and I can’t just connect over Duplicati on Debian, every other client is working.

• No, it’s working over the internet, because the FRITZ!Box is at another physical destination. And my Windows and Debian PC are not in the same destination as the FRITZ!Box router.

Maybe it’s clearer so:
both PCs (Windows/Debian) - Internet - FRITZ!Box

So I’ve again tested a little around and now I have new findings:
I’ve set up a virtual machine on my Windows PC with Debian stretch with graphical interface.
I installed Duplicati and tested it, and it also worked. But just if the directory already exists and don’t have to be created by Duplicati. If I try to create it through testing on Duplicati, I get the question, if I want to create it, I say yes and then it says Failed to connect: The authentication or decryption has failed. I can’t really understand this because I got full rights on the drive I connect to. But that just btw. Because if it exists, it works to test and also run it. I tried Duplicati v2.0.2.1-1 and then v2.0.2.13-2.0.2.13_canary_2017-11-22, no problems at all.
So I tried to install also ftp (it was already installed) and ftp-ssl to get the same packages as on my real Debian installation. Reboot - no problems. I’ve installed every other packages I’ve installed - reboot - no problems. I don’t get it.
I’m running a FTP-, Apache(with PHP7.0)-, MySQL- and TeamSpeak-server on my Debian machine. But I did this also on my virtual machine and it didn’t cause this problem… I don’t really know what the problem is, Duplicati just can’t open that listening socket.

Ah and the status requests are normal I think because on the virtual machine it happened also and it worked to get Duplicati run.

OK, let’s step back for a moment.

1. You have a job that has been running well for half a year - what destination where you using when it worked?

2. Are you changing the working job to point to FRITZ!Box or did you create a new new one?

3. And just to confirm, you are trying to use FTPS (FTP+SSL) not SFTP (SSH+FTP) so you selected “FTP (Alternative)” as your Backup Destination Storage Type, correct?

It may be unrelated, but some users have reported INTERMITTENT issues with FTPS certificates being accepted in Windows even with --accept-any-ssl-certificate enabled. For them a solution seemed to be to add the .cert file to their Windows certificate storage.

Again thank you for your time!

1. Originally, it was a job for Amazon, but they’re changing their saving plans and so I have to get my stuff off the cloud and save them at another location.

2. I tried both, to create a new testing job or just use the old Amazon job with the new FTP parameters.

3. I tried just the FTP-method but in all variants given, but it won’t just work at my Debian pc. Strangely, I got it working with just FTP, checked SSL and the certificate allowed there on my virtual machine with Debian, as well as on my Windows pc.

Okay, that’s what I could try the alternative FTP-mode and to save the cert to my system, even if it’s Debian.

Ah and here are the logfiles I completely forgot to post.
One time with just these parameters:

• FTP
• SSL
• accept-specified-ssl-hash (as well as with accept-any-ssl-certificate)

System.Net.WebException: Server returned an error: 425 Can't open passive connection 
  at Duplicati.Library.Utility.AsyncHttpRequest+AsyncWrapper.GetResponseOrStream () [0x0004d] in <345023f3ba064333ba38d47ee2a7964f>:0 
  at Duplicati.Library.Utility.AsyncHttpRequest.GetResponse () [0x00044] in <345023f3ba064333ba38d47ee2a7964f>:0 
  at Duplicati.Library.Backend.FTP+<>c__DisplayClass21_0.<List>b__0 () [0x0000c] in <0181b09c195f4650a74abed4a441ab3b>:0 
  at Duplicati.Library.Backend.FTP.HandleListExceptions (System.Action action, System.Net.FtpWebRequest req) [0x00000] in <0181b09c195f4650a74abed4a441ab3b>:0

And here with:

• FTP
• SSL
• accept-specified-ssl-hash (as well as with accept-any-ssl-certificate)
• ftp-regular

System.Net.WebException: Couldn't open listening socket on client ---> System.Net.Sockets.SocketException: An address incompatible with the requested protocol was used 
  at System.Net.Sockets.Socket.Bind (System.Net.EndPoint localEP) [0x0004c] in <bd46d4d4f7964dfa9beea098499ab597>:0 
  at System.Net.FtpWebRequest.InitDataConnection () [0x0005c] in <bd46d4d4f7964dfa9beea098499ab597>:0 --- End of inner exception stack trace --- 
  at Duplicati.Library.Utility.AsyncHttpRequest+AsyncWrapper.GetResponseOrStream () [0x0004d] in <345023f3ba064333ba38d47ee2a7964f>:0 
  at Duplicati.Library.Utility.AsyncHttpRequest.GetResponse () [0x00044] in <345023f3ba064333ba38d47ee2a7964f>:0 at Duplicati.Library.Backend.FTP+<>c__DisplayClass21_0.<List>b__0 () [0x0000c] in <0181b09c195f4650a74abed4a441ab3b>:0 
  at Duplicati.Library.Backend.FTP.HandleListExceptions (System.Action action, System.Net.FtpWebRequest req) [0x00000] in <0181b09c195f4650a74abed4a441ab3b>:0

I’ve tried the alternative FTP-mode and I got it working, I don’t get this. I checked accept-specified-ssl-hash, aftp-ssl-protocols Tls, aftp-encryption-mode explicit and aftp-data-connection-type AutoPassive.
Wow, it could be so simple. Thank you so much!
The only thing is, why it won’t work with just FTP-mode? Anything buggy on my system or is it maybe a Duplicati bug or both?

Glad you got it working!

I think for FTPS you have to use alternate FTP, but other than that I’m not sure what the difference is (maybe one allows active / passive but the other doesn’t).

The FTP backend is using the .Net FTP library, which mostly works, but then again FTP is really old and has tons of quirks.

When it works on Windows, it might be because the MS implementation is handling this particular case better than the Mono version used on Linux.

The aFTP backend is using the same code on both Linux and Windows, so it should be more “comparable” across platforms.

Well that explains everything.
Thank you two very much!

It’s to bad we can’t easily make an “FTP (Generic)” be the “same code” version and have “FTP (Windows)” or “FTP (.NET)” be the other one - just so the make provides a little more guidance than just “alternate”.

We can easily change the names if we want (at least the display names).
The problem is that I think some FTP servers work better with “FTP (.Net)” while others work better with “FTP (Generic)” so choosing the names is a bit difficult.

Ok, that makes sense. Do they generally fail in a way we could catch and suggest “try this other one” or even auto try the other (at least during connecting test)?

I think we could, but making and maintaining that list of FTP servers and versions is a big task.

Good point, and totally not worth the effort for the amount of issues they cause.

I’ve got a question. I said in my recent posts, that if I restart it via “services duplicati restart”, it actually doesn’t even restart or the process is even running, if “services duplicati status” tells me, it doesn’t. How can I restart just the service on my Debian system? I’ve seen, that the /usr/lib/duplicati/Duplicati.Server.exe is running but I don’t know how I should restart it, the web says also different things, which doesn’t work.
It’s also opened twice, that’s normal, isn’t it?

lsof /usr/lib/duplicati/Duplicati.Server.exe

Main 643 root mem REG 254,0 268344 137715 /usr/lib/duplicati/Duplicati.Server.exe
Main 871 root mem REG 254,0 268344 137715 /usr/lib/duplicati/Duplicati.Server.exe

And I seem to have trouble with one backup, which can’t upload ~40 GB. It starts with Verifiyng a “long” time. Then it does upload ~1MB/s and it falls to ~2KB/s over time and doesn’t even get any further with transfering data.

Edit:
After ~8hrs it got ~0,08GB transmitted. And it’s at 1,0x KB/s.

Don’t know. It looks like two different processes have opened the file, which sounds odd to me, but I don’t expect it to cause problems.

It should certainly not run twice.

I don’t know why that is. Duplicati builds the entire volume first and then sends it. In other words there is no processing being done before data can be transmitted, it should send as fast as the disk can deliver data (most likely limited also by your network link).