Rclone mount - 425 Unable to build data connection: TLS session of data connection not resumed

Hi,

how can i solve this issue? I read that is a bug in rclone? Is that true?

rclone version
rclone v1.63.0

• os/version: ubuntu 22.04 (64 bit)
• os/kernel: 5.15.0-76-generic (x86_64)
• os/type: linux
• os/arch: amd64
• go/version: go1.20.5
• go/linking: static
• go/tags: none

Problem:
2023/07/14 23:58:24 ERROR : MYFILE******: vfs cache: failed to upload try #6, will retry in 5m0s: vfs cache: failed to transfer file from cache to remote: update stor: 1 error occurred:

• 425 Unable to build data connection: TLS session of data connection not resumed.

Reproduce?
Setup FileZilla Server with v1.7.2, mount this FTP with the given command. Try to transfer diffrent files.

Command:
rclone mount MYREMOTE/ /home/FTP/ --umask 0 --allow-other --dir-cache-time 24h --attr-timeout 6h --poll-interval 30s --vfs-cache-max-age 3h --vfs-cache-mode full --vfs-read-chunk-size 128M --vfs-read-chunk-size-limit 512M --vfs-cache-max-size 10G --transfers 4 --checkers 4 --ftp-disable-tls13

RClone config:

[MYREMOTE]
type = ftp
host = *** MY HOST ****
user = *********
pass = S****************M
explicit_tls = true
no_check_certificate = true
tls_cache_size = 32

FTP SERVER:
Filezilla FTP Server v1.7.2

Can you upload files to your FTP server using some other tool? E.g. FileZilla client?

Also if possible I would suggest to use SFTP instead - FTP protocol with TLS has tones of issues you can read about on this forum.

welcome to the forum,

might be easier to test using rclone ls, not rclone mount

i am able to connect to filezilla server, using TLS v1.3

rclone ls :ftp,explicit_tls,no_check_certificate,host=100.109.123.23,port=2222,user=user,pass=hCqzUJfyTpEMVVT_Q3htQenZ7pIKVdgu,user=user,pass=hCqzUJfyTpEMVVT_Q3htQenZ7pIKVdgu: -vv
2023/07/17 09:14:28 DEBUG : rclone: Version "v1.62.2" starting with parameters ["rclone" "ls" ":ftp,explicit_tls,no_check_certificate,host=100.109.123.23,port=2222,user=user,pass=hCqzUJfyTpEMVVT_Q3htQenZ7pIKVdgu,user=user,pass=hCqzUJfyTpEMVVT_Q3htQenZ7pIKVdgu:" "-vv"]
2023/07/17 09:14:28 DEBUG : Creating backend with remote ":ftp,explicit_tls,no_check_certificate,host=100.109.123.23,port=2222,user=user,pass=hCqzUJfyTpEMVVT_Q3htQenZ7pIKVdgu,user=user,pass=hCqzUJfyTpEMVVT_Q3htQenZ7pIKVdgu:"
2023/07/17 09:14:28 DEBUG : Using config file from "/home/user01/.config/rclone/rclone.conf"
2023/07/17 09:14:28 DEBUG : :ftp: detected overridden config - adding "{gU6Aj}" suffix to name
2023/07/17 09:14:28 DEBUG : ftp://100.109.123.23:2222: Connecting to FTP server
2023/07/17 09:14:28 DEBUG : ftp://100.109.123.23:2222: dial("tcp","100.109.123.23:2222")
2023/07/17 09:14:28 DEBUG : ftp://100.109.123.23:2222: > dial: conn=*fshttp.timeoutConn, err=<nil>
2023/07/17 09:14:28 DEBUG : fs cache: renaming cache item ":ftp,explicit_tls,no_check_certificate,host=100.109.123.23,port=2222,user=user,pass=hCqzUJfyTpEMVVT_Q3htQenZ7pIKVdgu,user=user,pass=hCqzUJfyTpEMVVT_Q3htQenZ7pIKVdgu:" to be canonical ":ftp{gU6Aj}:"
2023/07/17 09:14:28 DEBUG : ftp://100.109.123.23:2222: dial("tcp","100.109.123.23:54442")
2023/07/17 09:14:28 DEBUG : ftp://100.109.123.23:2222: > dial: conn=*tls.Conn, err=<nil>
        1 file.ext

I can connect via FileZilla or any Android FTP Client. It works without issues only with Rclone occur this error.

To reproduce this, you have to transfer several files. The LS command works partially, most of the file is visible, but then the error occurs.

Then produce ls DEBUG output and post here - the clues will be there:

rclone ls remote: -vv

ok, i was able to reproudce the error running filezilla ftp server on windows.

and the 425 issue is not specifc to rclone.
TLS session of data connection not resumed Error (v1.1.0) - FileZilla Forums

My log.

EDIT: i removed the DOMAIN in the logs

rclone ls ftps-nas: -vv
2023/07/17 15:28:44 DEBUG : rclone: Version "v1.63.0" starting with parameters ["rclone" "ls" "ftps-nas:" "-vv"]
2023/07/17 15:28:44 DEBUG : Creating backend with remote "ftps-nas:"
2023/07/17 15:28:44 DEBUG : Using config file from "/home/dev/.config/rclone/rclone.conf"
2023/07/17 15:28:44 DEBUG : ftp://-MYDOMAIN-:21: Connecting to FTP server
2023/07/17 15:28:44 DEBUG : ftp://:21: dial("tcp",":21")
2023/07/17 15:28:44 DEBUG : ftp://:21: > dial: conn=*fshttp.timeoutConn, err=
2023/07/17 15:28:44 DEBUG : ftp://:21: dial("tcp","95.90.129.161:65349")
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*tls.Conn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: Connecting to FTP server
2023/07/17 15:28:45 DEBUG : ftp://:21: Connecting to FTP server
2023/07/17 15:28:45 DEBUG : ftp://:21: Connecting to FTP server
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp",":21")
2023/07/17 15:28:45 DEBUG : ftp://:21: Connecting to FTP server
2023/07/17 15:28:45 DEBUG : ftp://:21: Connecting to FTP server
2023/07/17 15:28:45 DEBUG : ftp://:21: Connecting to FTP server
2023/07/17 15:28:45 DEBUG : ftp://:21: Connecting to FTP server
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp",":21")
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp",":21")
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*fshttp.timeoutConn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp","95.90.129.161:65385")
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp",":21")
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*fshttp.timeoutConn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp",":21")
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*fshttp.timeoutConn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp",":21")
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*tls.Conn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*fshttp.timeoutConn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*fshttp.timeoutConn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp",":21")
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*fshttp.timeoutConn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*fshttp.timeoutConn, err=
2023/07/17 15:28:45 DEBUG : ftp://:21: dial("tcp","95.90.129.161:65392")
2023/07/17 15:28:45 DEBUG : ftp://:21: > dial: conn=*tls.Conn, err=
^C

2023/07/17 15:27:41 DEBUG : ftp://:21: > dial: conn=*tls.Conn, err=
2023/07/17 15:27:41 DEBUG : ftp://:21: dial("tcp","95.90.129.161:65325")
2023/07/17 15:27:41 DEBUG : ftp://:21: > dial: conn=*tls.Conn, err=
2023/07/17 15:27:41 DEBUG : ftp://:21: > dial: conn=*tls.Conn, err=
2023/07/17 15:27:41 DEBUG : ftp://:21: > dial: conn=*tls.Conn, err=
2023/07/17 15:27:41 DEBUG : ftp://:21: > dial: conn=*tls.Conn, err=
2023/07/17 15:27:41 ERROR : folder/ABC: error listing: 1 error occurred:
* 425 Unable to build data connection: TLS session of data connection not resumed.

What do you mean with that? With other software i have no issues, only with rclone

good catch:) It pointed me towards rclone problems with resuming TLS sessions I saw in the past.

Given that it works like you say partially I think the most likely culprit here is TLS cache

Increase tls_cache_size as at the moment you just specify its default value - 32

and test with ls again

i has already tested tls_cache_size=1024, did not make a difference

the issue occurs with various ftp servers and ftp clients, so not just rclone.

rclone relies on third-party library.

FTP over TLS: Data Connection fails after a certain number of downloads

opened 01:29PM - 17 Nov 22 UTC

closed 01:29PM - 22 Nov 22 UTC

brittawi

defect

**Describe the bug** I am using Explicit FTPS to connect to a FileZilla Server …(1.5.1). When I'm downloading a file a certain amount of times the server gives me an error and the control connection gets closed. **To Reproduce** ``` c, err := ftp.Dial("127.0.0.1:21", ftp.DialWithExplicitTLS(&tls.Config{ ClientSessionCache: tls.NewLRUClientSessionCache(0), InsecureSkipVerify: true, ServerName: "test", })) if err != nil { log.Fatal(err) } err = c.Login("user", "pass") if err != nil { log.Fatal(err) } for i := 0; i < 200; i++ { fmt.Println("Round " + fmt.Sprint(i)) r, err := c.Retr("/testfile.txt") if err != nil { panic(err) } buf, _ := ioutil.ReadAll(r) println(string(buf)) r.Close() } ``` **Expected behavior** I would expect that no matter how many files I download, the control connection will not be closed. When I am connecting without TLS this is no problem. Also using WinSCP to connect to the Server or a FileZilla Client works fine. **FTP server** - Name and version: FileZilla 1.5.1 **Debug output** The go FTP Client gives me the following error: ``` panic: write tcp 127.0.0.1:61864->127.0.0.1:21: wsasend: An existing connection was forcibly closed by the remote host. ``` The FileZilla Server gives me the following error:  **Additional Content** In the example above TLS v1.3 is used. I have also tried setting the Version to TLS v1.2. When I am doing so it takes a lot more files to download until I get an error. Here I get the following error:  This issue also happens with the List command.

rclone is actually using fork of this ftp package... as in the past they were rather slow with fixes.

Trying disable_tls13 = true might be worth a go.

Also try the latest beta as it is running the next go version and maybe stuff is fixed there.

Its not working, als already use this command / option

It's a bit disappointing, such a big language like GO and it's not possible to make an FTPS connection.

I want a 100% clean working solution. Should i open an issue here? Issues · jlaffaye/ftp · GitHub

EDIT: issue created 425 Unable to build data connection: TLS session of data connection not resumed · Issue #342 · jlaffaye/ftp · GitHub

@ncw the ftp package dev said its a problem in rclone: 425 Unable to build data connection: TLS session of data connection not resumed · Issue #342 · jlaffaye/ftp · GitHub

Ok we start a ping pong ..

In the issue we see

This is not an issue with this package. You need to setup TLS resumption on your &tls.Config:

1. ServerName must be correct
2. SessionTicketsDisabled must be false (this is default)
3. ClientSessionCache must be non-nil (e.g., tls.NewLRUClientSessionCache(0))

I think 2 and 3 are satisfied, however 1 is not

This most likely is the cause of the problem if the ServerName does not match. It depends on exactly why you are using no_check_certificate though.

Ah ok. The domain is from no-ip a free domain that is setup to my local ip. So i thought i need to disable certificate check but i will try it. Thanks

I guess the implication is that these “tls.config” settings are within rclone?
Can end users of rclone do anything to set this ServerName setting?
Or is a change in rclone required to enable this?

For me, this error happens when I try rclone sync from Ubuntu pointing to a Windows server running FileZilla server with —ftp-explicit-tls set along with other config all on the command line.
It does not happen when I try the same settings except pointing at Linux servers running PureFTP.
Using passive settings in FileZilla with host name set to the same as the name in the LetsEncrypt certificate, which is the same as the reverse DNS of the sever IP
Maybe there’s another place in FileZilla where I need to set the ServerName?

rclone also works fine connecting to FileZilla but without enabling explict TLS.
Also fine with concurrency set to 1 (was just using default)
Does NOT work when concurrency set to 2

Presumably, rclone is not or cannot share the TLS settings for all connections?
(default concurrency is fine for explict TLS connections to PureFTP servers though, so it's strange it seems to be only FileZilla server to have this problem, though I've only connected to PureFTP and FileZilla so there may be others too)

tried concurrency 2 tls cache size 64 and disable tls13 still does not work; same with beta rclone