Skip to main content

FTP fails with timeout error when entering passive mode due to closed ports

Alex Jankowiak
  • Updated

When attempting to connect to an FTP server, the client fails with an error similar to the following:

 

227 Entering Passive Mode
Error: Connection Timeout

 

Description 

This error can occur when your firewall is not configured to accept traffic on the passive port range configured on your server.

 

By default, this range is 49152-65534.

 

You can confirm this issue via a utility called nmap. Here is the output of the response of the start, end, and a port in the middle of the range.

 

➜ ~ sudo nmap -Pn --reason -p 49152,55000,65534 xxx.xxx.xxx.xxx
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-18 22:16 CST
Nmap scan report for hostname.domain.tld (xxx.xxx.xxx.xxx)
Host is up, received user-set.

PORT STATE SERVICE REASON
49152/tcp filtered unknown no-response
55000/tcp filtered unknown no-response
65534/tcp filtered unknown no-response

Nmap done: 1 IP address (1 host up) scanned in 3.23 seconds

 

In this output, the firewall is "filtering" packets, rather than a "closed" response showing nothing is actively running on these ports.

 

You can verify or update the passive port range via the configuration files for your FTP daemon.

 

ProFTP

The configuration file is located at /etc/proftpd.conf

 

# grep 'PassivePorts' /etc/proftpd.conf
PassivePorts 49152 65534

 

Pure-FTP

The configuration file is located at /etc/pure-ftpd.conf

 

# grep 'PassivePortRange' /etc/pure-ftpd.conf
PassivePortRange 49152 65534

 

Workaround

You will need to ensure these ports are open in your firewall.

 

The resulting nmap will show "closed" rather than "filtered" as "closed" means the request is not being dropped by the firewall, and the server can later initiate a service on those ports.

 

# nmap --reason -p 49152,50000,65534 server-ip
...
PORT      STATE  SERVICE REASON
49152/tcp closed unknown reset
50000/tcp closed ibm-db2 reset
65534/tcp closed unknown reset

 

If you are using ConfigServer Firewall, please consult this third-party documentation.

 

You may also wish to reference this document discussing how to configure your firewall for cPanel services.

 

Resources

More details on configuring FTP Passive Mode can be found here.

 

If you continue to have issues even after adjusting these settings, please see our other troubleshooting steps.

Related articles