I’ve been using the FileZilla FTP client for many years and in that time have had only a few occasions where the application didn’t perform with the default settings.
One of those instances was yesterday, when I was trying to connect to my firm’s FTP site from an external network connection. From inside the office, using the internal IP address, FileZilla connected normally and displayed the contents of the root directory after I authenticated.
From outside the office, connecting via the hostname ftp.domain.com, FileZilla would connect normally and authenticate successfully, but it would not display the contents of the root directory. Instead, the server would send a “425 Can’t open data connection” message. FileZilla would then report “Error: Failed to retrieve directory listing”.
Here’s the complete conversation between the client and the server (names and IP addresses changed to protect the firm’s identity):
Status: Resolving address of ftp.domain.com Status: Connecting to 38.98.xxx.xxx:21... Status: Connection established, waiting for welcome message... Response: 220-Microsoft FTP Service Response: 220 Company Name Command: USER ftp_username Response: 331 Password required for ftp_username. Command: PASS ********** Response: 230-Welcome to the Company Name FTP service. Unauthorized use is strictly prohibited. Response: 230 User ftp_username logged in. Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is current directory. Command: TYPE I Response: 200 Type set to I. Command: PASV Response: 227 Entering Passive Mode (192,168,0,114,13,156). Status: Server sent passive reply with unroutable address. Using server address instead. Command: LIST Response: 425 Can't open data connection. Error: Failed to retrieve directory listing Response: 421 Timeout (120 seconds): closing control connection. Error: Could not read from socket: ECONNRESET - Connection reset by peer Error: Disconnected from server
The interesting thing, I thought, was that when the server agreed to use passive mode, it did so with a port on the internal IP address, which is unroutable from outside the network.
The fix is to use active mode
OK, if you’re reading this, you probably just want to know how to make it work. FileZilla uses passive mode by default, but due to the network configuration of certain servers, active mode is required to establish a data connection. A bit of background reading with some explanation is farther down.
In FileZilla, click on Edit | Settings.
Under Connection, click on FTP and choose Active as the Transfer Mode.
Under Connection, under FTP, click on Active mode and choose “Ask your operating system for the external IP address” (the default setting).
Under Connection, under FTP, click on Passive mode and choose “Fall back to active mode” (this is an optional setting).
What is the difference between active and passive mode?
According to the FileZilla wiki page on network configuration:
In passive mode, which is recommended (see below), the client sends the PASV command to the server, and the server responds with an address. The client then issues a command to transfer a file or to get a directory listing, and establishes a secondary connection to the address returned by the server.
In active mode, the client opens a socket on the local machine and tells its address to the server using the PORT command. Once the client issues a command to transfer a file or listing, the server will connect to the address provided by the client.
The difference, then, is which side gets to determine the address used during the connection. In passive mode, the server provides the address, while in active mode, the client provides the address.
Why do I need to use active mode?
You probably shouldn’t need to use active mode, and in fact, it requires more configuration by the user of the FTP client to use active mode.
In passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will already be the case most of the time).
Analogously, in active mode, the router and firewall on the client side need to be configured to accept and forward incoming connections. Only outgoing connections have to be allowed on the server side.
http://wiki.filezilla-project.org/Network_Configuration#Technical_background
So, it boils down to who’s going to be responsible for the NAT and firewall configuration. Using passive mode places the responsibility on the server side of the connection, while using active mode places it on the client side. Typically, the FTP server administrator should be better equipped to handle this responsibility than the average FTP client user.
Passive mode
In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you’ll have to allow outgoing connections to all ports in your firewall.
Active mode
In active mode, the client opens a socket and waits for the server to establish the transfer connection.
http://wiki.filezilla-project.org/Network_Configuration#Setting_up_FileZilla_Client
I’m behind a NAT router and I’ve never had any problems with passive mode. On the other hand, I seem to be able to connect to all my sites without any problem with the client in active mode, too, and I haven’t had to open any ports in Windows Firewall or forward any ports on my router. So maybe active mode doesn’t require as much configuration as the wiki page leads me to believe. Or maybe I’m just getting lucky and I’ll eventually run into problems if I continue to run in active mode.
Why does the server respond with the local IP address?
The FileZilla people offer a a partial explanation for why I’m seeing the internal IP address when I connect using the hostname. Back in Settings, under Connection | FTP | Passive mode, is some support text that reads: Some misconfigured remote servers which are behind a router, may reply with their local IP address.
The wiki page is pretty good reading, and has some interesting stuff on NAT, but I think that I’ll offer this plain-language, local IP address explanation when troubleshooting FTP connections.
This did not work for me. 🙁
This absolutely worked for me when all other explanations failed to be clear enough. Thanks very much.
It has worked for me, too! Thanks for the post.
Thank You! Wasn’t using FileZilla but my own ftp client on a new hosted server (Arvixe) – and after tracing in C code for a bit – searching the error 421 landed me here. And …. going from Passive to Active worked at this end!
Thanks!
thank you! fantastic posting, its working fine.
I am French, and i am not sure i have understood all your explainations, but i have selected the active mode it and it works.
Thank you very much !
Thanks for your nice article. With your help, I could make it work. I was trying to establish active mode. Passive mode works fine with me, but there were some problem with the remote server. So, I needed to use active mode. Thanks again.
Cheers 🙂
Thanks so much! Lesser 425 errors now.
Hello i have read your article and tryd your fix. Unfortually it didnt work for me.. I have the same errors with my client as in the article;
(i have an dutch client)
Antwoord: 227 Entering Passive Mode (192,168,178,17,192,110)
Status: Server genereerde een passief antwoord met een ontraceerbaar adres. Gebruikt het serveradres in de plaats.
Commando: MLSD
Antwoord: 425 Can’t open data connection.
Fout: Ontvangen van mappenlijst is mislukt
Antwoord: 421 Connection timed out.
If some one know any solution pleas inform me.
Already tried solutions;
-reinstall filezilla server
-the fixes from this article
Router port used is: 21 and it is already forwarded in my router.
My server worked like 1 1/2 year and then the passive problem came(with out any changes on my server)
Sorry for my bad english its my second language
That worked first time for me! Fantastic, thanks very much for your help! 😀
Thank you very much! You saved my day!
Status: Server sent passive reply with unroutable address. Passive mode failed.
Status: Disconnected from server
Command: PORT 10,128,91,121,228,131
Response: 500 I won’t open a connection to 10.128.91.121 (only to 103.230.104.6)
Error: Failed to retrieve directory listing
Status: Disconnected from server
This is shown after the passive mode to “fall back to the active mode”. Now what should I do to connect to the server.
after spending a day trying to make it work, this post perfectly worked, Awesome! Thank you very much! 🙂