Home
Laptops & Desktops
Troubleshooting FTP Passive Mode Issues: PRODFTP vs. DEVFTP

Troubleshooting FTP Passive Mode Issues: PRODFTP vs. DEVFTP

Kerry Cordero
Laptops & Desktops
3 min read

When working with FTP in passive mode, issues can disrupt data transfer. In this case, we analyzed why the FTP client (192.168.100.21) successfully connects to the DEVFTP server but fails with the PRODFTP server. Here’s a breakdown of the troubleshooting process, insights into how passive mode works, and steps to resolve the issue.

How FTP Passive Mode Works

  1. Control Connection:
    • The client initiates a connection to the server’s control port (typically TCP port 21).
    • Commands like STOR, RETR, or LIST are sent over this control connection.
  1. Passive Command (PASV):
    • When the client sends the PASV command, the server responds with 227 Entering Passive Mode, providing an IP address and port for the client to use for the data connection. You can see this with filter ftp.response.code == 227.

Example response:

With the response you get back from the Server, you can see see what IP Address and Port will be used.  The port is calculated.

227 Entering Passive Mode (172,16,40,222,90,160)
IP: 172.16.40.222
Port: Calculated as (90 * 256) + 160 = 23200
  1. Data Connection:
    • The client establishes a second connection to the server at the IP and port specified in the 227 response.
    • This connection is used to transfer data.

Symptoms of the Issue

  • PRODFTP Does Not Work:
    • The server responds with 227 Entering Passive Mode, providing an IP and port.
    • Filtering for traffic on the specified port (e.g., 23200) reveals no data flow.
    • The client sends a FIN,ACK, closing the connection prematurely.
  • DEVFTP Works:
    • The server responds with 227 Entering Passive Mode, providing an IP and port.
    • Filtering for traffic on the specified port (e.g., 23256) shows successful data flow.
    • The client and server complete the data transfer without issues.

Key Observations

  1. The PRODFTP server provides the IP 172.16.40.222 and port 23200 in its 227 response.
    • Filtering on tcp.port == 23200 shows no data, indicating the client could not establish the data connection.
  2. The DEVFTP server provides the IP 10.100.20.222 and port 23256 in its 227 response.
    • Filtering on tcp.port == 23256 shows successful data flow, confirming that the client established the data connection.
  3. The client sends a FIN,ACK to PRODFTP, prematurely terminating the session.

Possible Causes

  1. Firewall or Network Blocking:
    • Traffic to the 172.16.x.x subnet or the ephemeral port range used by PRODFTP may be blocked by a firewall.
  2. Incorrect NAT or Routing Configuration:
    • The IP address provided in the 227 response (172.16.40.222) may not be routable from the client’s network.
    • If the FTP server is behind a NAT, it might be providing an internal IP address instead of an external one.
  3. Ephemeral Port Range Issue:
    • The ephemeral port range used by PRODFTP might be blocked by the client’s firewall or intermediate network devices.

Steps to Troubleshoot and Resolve

  1. Verify IP Address Reachability:
    • From the client machine, test connectivity to the IP address provided in the 227 response:
      • ping 172.16.40.222
      • telnet 172.16.40.222 23200
    • If the IP is unreachable or the port is blocked, investigate routing or firewall rules.
  2. Check Firewall Rules:
    • Ensure that traffic to the 172.16.x.x subnet and the ephemeral port range used by PRODFTP is allowed.
  3. Inspect Server Configuration:
    • Confirm that PRODFTP provides a routable IP address in its 227 response.
    • If the server is behind NAT, configure it to provide the external IP address.
  4. Capture Logs:
    • Check the FTP server logs for errors related to passive mode or data connections.
    • Enable verbose FTP logging on the client to identify additional errors.
  5. Test with Another Client:
    • Use another client machine on the same network to rule out client-specific issues.

Root Cause and Fix

  • Root Cause: The PRODFTP server provides an IP (172.16.40.222) or port (23200) that is unreachable from the client due to firewall or NAT issues.
  • Fix:
    1. Update the PRODFTP server to provide a reachable IP address in its 227 response.
    2. Ensure that the ephemeral port range used by the server is open on all firewalls.
    3. Confirm proper NAT configuration if the server is behind a NAT.

Conclusion

When troubleshooting FTP passive mode issues, it’s critical to verify both the IP address and port provided in the 227 Entering Passive Mode response. Ensure the IP is reachable and the port range is open for data connections.

If you’re encountering similar issues, start by analyzing packet captures, checking firewalls, and validating server settings. These steps will help identify and resolve most FTP passive mode problems efficiently.

Quick note on ephemeral ports. See below:

For passive FTP (PASV), the server typically uses ephemeral ports in the range of 1024-65535 for the data connection. However, many FTP servers restrict this range for security, commonly using:

Default range: 49152-65534
Commonly restricted ranges:
1024-65535 (full ephemeral range)
10000-50000 (restricted subset)
20000-30000 (more restricted)

The exact range depends on:
Server configuration
Security policies
Operating system defaults

For optimal security and firewall configuration, it’s recommended to restrict the passive port range and explicitly allow those ports through firewalls.

© 2025 cordero.me • All Rights Reserved