FTP fails with timeout error when entering passive mode due to closed ports – cPanel

Symptoms

When attempting to connect to an FTP server, the client fails with a timeout error similar to the following:

227 Entering Passive Mode
Error: Connection Timeout

This error can occur when your firewall is not configured to accept traffic on the passive port range configured on your server.

You can confirm the functionality of your firewall using a utility called "Netcat" using the following test procedure:

Stop the FTP service in "WHM / Service Configuration / Service Manager."
Open "WHM / Server Configuration / Terminal."
Run "nc -l 49152" to start listening on port 49152.
On another machine with netcat installed, run "nc YOUR-SERVER-IP 49152"
Please note that YOUR-SERVER-IP should be replaced with your server's actual IP.
Type a message and press enter.
Check the original server.
Ctrl+C to stop the listening netcat instance on the server.
Start the FTP service via WHM.

Here is a demonstration:

GIF demonstrating netcat between two servers

In this output, as the communication was successful, there was not a firewall-related communication error.

You can verify or update the passive port range via the configuration files for your FTP daemon.

ProFTP
- The file is located at "/etc/proftpd.conf"
- The setting is called 'PassivePorts'
Pure-FTP
- The file is located at "/etc/pure-ftpd.conf"
- The setting is called "PassivePortRange"

You can check either daemon's currently configured port range on the command-line:

[root@server ~]cPs# grep 'PassivePorts' /etc/proftpd.conf
PassivePorts 49152 65534

[root@server ~]cPs# grep 'PassivePortRange' /etc/pure-ftpd.conf
PassivePortRange 49152 65534

You will need to ensure these ports are open in your firewall.

If you are using ConfigServer Firewall, please consult our guide for CSF.

More details on configuring FTP Passive Mode is available in our documentation.

If you continue to have issues even after adjusting these settings, please see our other passive FTP guidance.