When attempting to connect to an FTP server, the client fails with an error similar to the following:
227 Entering Passive Mode
Error: Connection Timeout
This error occurs when your firewall is not configured to accept traffic on the passive port range configured on your server.
You can confirm this via a utility called nmap.
# nmap -Pn -sT -sU -p 49152,55000,65534 server-ip
PORT STATE SERVICE
49152/tcp filtered unknown
55000/tcp filtered unknown
65534/tcp filtered unknown
49152/udp open|filtered unknown
55000/udp open|filtered unknown
65534/udp open|filtered unknown
By default, this range is 49152-65534.
More details on configuring passive ports can be found here.
You will need to ensure these ports are open in your firewall.
If you are using ConfigServer Firewall, please consult this third-party documentation.