I’ve been using the FileZilla FTP client for many years and in that time have had only a few occasions where the application didn’t perform with the default settings.
One of those instances was yesterday, when I was trying to connect to my firm’s FTP site from an external network connection. From inside the office, using the internal IP address, FileZilla connected normally and displayed the contents of the root directory after I authenticated.
From outside the office, connecting via the hostname ftp.domain.com, FileZilla would connect normally and authenticate successfully, but it would not display the contents of the root directory. Instead, the server would send a “425 Can’t open data connection” message. FileZilla would then report “Error: Failed to retrieve directory listing”.
Here’s the complete conversation between the client and the server (names and IP addresses changed to protect the firm’s identity):
Status: Resolving address of ftp.domain.com Status: Connecting to 38.98.xxx.xxx:21... Status: Connection established, waiting for welcome message... Response: 220-Microsoft FTP Service Response: 220 Company Name Command: USER ftp_username Response: 331 Password required for ftp_username. Command: PASS ********** Response: 230-Welcome to the Company Name FTP service. Unauthorized use is strictly prohibited. Response: 230 User ftp_username logged in. Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is current directory. Command: TYPE I Response: 200 Type set to I. Command: PASV Response: 227 Entering Passive Mode (192,168,0,114,13,156). Status: Server sent passive reply with unroutable address. Using server address instead. Command: LIST Response: 425 Can't open data connection. Error: Failed to retrieve directory listing Response: 421 Timeout (120 seconds): closing control connection. Error: Could not read from socket: ECONNRESET - Connection reset by peer Error: Disconnected from server
The interesting thing, I thought, was that when the server agreed to use passive mode, it did so with a port on the internal IP address, which is unroutable from outside the network.
The fix is to use active mode
OK, if you’re reading this, you probably just want to know how to make it work. FileZilla uses passive mode by default, but due to the network configuration of certain servers, active mode is required to establish a data connection. A bit of background reading with some explanation is farther down.
In FileZilla, click on Edit | Settings.
Under Connection, click on FTP and choose Active as the Transfer Mode.
Under Connection, under FTP, click on Active mode and choose “Ask your operating system for the external IP address” (the default setting).
Under Connection, under FTP, click on Passive mode and choose “Fall back to active mode” (this is an optional setting).
What is the difference between active and passive mode?
According to the FileZilla wiki page on network configuration:
In passive mode, which is recommended (see below), the client sends the PASV command to the server, and the server responds with an address. The client then issues a command to transfer a file or to get a directory listing, and establishes a secondary connection to the address returned by the server.
In active mode, the client opens a socket on the local machine and tells its address to the server using the PORT command. Once the client issues a command to transfer a file or listing, the server will connect to the address provided by the client.
The difference, then, is which side gets to determine the address used during the connection. In passive mode, the server provides the address, while in active mode, the client provides the address.
Why do I need to use active mode?
You probably shouldn’t need to use active mode, and in fact, it requires more configuration by the user of the FTP client to use active mode.
In passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will already be the case most of the time).
Analogously, in active mode, the router and firewall on the client side need to be configured to accept and forward incoming connections. Only outgoing connections have to be allowed on the server side.
So, it boils down to who’s going to be responsible for the NAT and firewall configuration. Using passive mode places the responsibility on the server side of the connection, while using active mode places it on the client side. Typically, the FTP server administrator should be better equipped to handle this responsibility than the average FTP client user.
In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you’ll have to allow outgoing connections to all ports in your firewall.
In active mode, the client opens a socket and waits for the server to establish the transfer connection.
I’m behind a NAT router and I’ve never had any problems with passive mode. On the other hand, I seem to be able to connect to all my sites without any problem with the client in active mode, too, and I haven’t had to open any ports in Windows Firewall or forward any ports on my router. So maybe active mode doesn’t require as much configuration as the wiki page leads me to believe. Or maybe I’m just getting lucky and I’ll eventually run into problems if I continue to run in active mode.
Why does the server respond with the local IP address?
The FileZilla people offer a a partial explanation for why I’m seeing the internal IP address when I connect using the hostname. Back in Settings, under Connection | FTP | Passive mode, is some support text that reads: Some misconfigured remote servers which are behind a router, may reply with their local IP address.
The wiki page is pretty good reading, and has some interesting stuff on NAT, but I think that I’ll offer this plain-language, local IP address explanation when troubleshooting FTP connections.