FTP over explicit TLS/SSL, failed directory listing

Posted on 2010-01-02
Last Modified: 2013-12-02

I'm trying to use FTP with explicit mode to my NAS (qnap ts509). From within my LAN I'm able to connect and everything is working. When I connect from ouside the LAN the connection times out because it can't receive the directory listing (see log from filezilla). On my router I've forwarded port 21 and 20, and the default port range (55536 - 56559). Am I forgetting a port or something?
Normal unencrypted FTP works fine from outside the LAN...

Status:	Connection established, waiting for welcome message...
Response:	220 NASFTPD Turbo station 2.x 1.3.1rc2 Server (ProFTPD) []
Command:	AUTH TLS
Response:	234 AUTH TLS successful
Status:	Initializing TLS...
Status:	Verifying certificate...
Command:	USER bla
Status:	TLS/SSL connection established.
Response:	331 Password required for bla
Command:	PASS ********
Response:	230 User bla logged in
Command:	OPTS UTF8 ON
Response:	200 UTF8 set to on
Command:	PBSZ 0
Response:	200 PBSZ 0 successful
Command:	PROT P
Response:	200 Protection set to Private
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is the current directory
Command:	TYPE I
Response:	200 Type set to I
Command:	PASV
Response:	227 Entering Passive Mode (192,168,1,100,219,128).
Status:	Server sent passive reply with unroutable address. Using server address instead.
Command:	LIST
Error:	Connection timed out
Error:	Failed to retrieve directory listing

Open in new window

Question by:Dennie
    LVL 57

    Expert Comment

    Your using passive ftp (this is what the PASV command means) and when using passive ftp port 20 is not used.

    When using passive ftp the server tells the client what port it (the server) will be listening on in the response to the PASV command.  By default most ftp servers will use ALL high ports, that is 1024-65535.

    If you control the ftp server, I would suggest that you limit what port range it uses, a lot sites start at port 10000 and then go to "X" where "X" is the number of concurrent sessions you expect.

    If you don't control the server, then you may want to contact whomever does and ask them a) if the support passive ftp and b) if they restrict it to a specific range of ports.

    Then on your firewall you need to make sure that you allow outbound connections with that port range as the destination.

    If they don't support passive ftp, then you need to issue whatever command your ftp client has that turns passive ftp off.

    Author Comment

    I've configured my ftp server to use these passive ports: 55536 - 56559. In my router I've forwarded these ports to my server (just as I've done with port 21). So this doesn't seems to be the problem...
    LVL 33

    Assisted Solution

    by:Dave Howe

    You missed a minor detail of FTPS as opposed to FTP. normally when you use passive mode, your router rewrites your control channel to give the external (NATted) IP instead of your internal (LAN) IP.

    Because FTPS is encrypted, the router cannot do that, so your FTP server needs to do it itself. In the Filezilla server (for example) the passive mode settings page allows you to specify an external IP and/or use an external lookup service.

    If you tell me which ftp server you are using, I may be able to help more.

    Author Comment

    My NAS uses ProFTPD server. I've tried to use the option clear command channel and clear data channel and EPSV in my FTP client, but this isn't helping

    Author Comment

    My NAS has an FTP option "Respond with external IP address for passive FTP connection request". When I set my external IP here it still isn't working.
    LVL 57

    Expert Comment

    Opp, I missed the FTPS part too.  

    O.K., using CCC and EPSV should help, but that is only if the FTP server supports both CCC (and is configured to allow CCC)  and EPSV

    You need to figure out which side is blocking the request and hard code rules in that firewall to allow tcp traffic with source port >1023 and destination ports in the range of 55536 - 56559.

    If possible you may want to test using non-TLS/SSL, once you get that working, the move on to TLS/SSL.

    Author Comment

    As mentioned everything works correctly without TLS/SSL...
    LVL 57

    Accepted Solution

    Sorry, I missed the part about non-TLS/SSL working.

    O.K., that means that one of the firewalls is not properly configured to allow tcp traffic with source port >1023 and destination ports in the range of 55536 - 56559.

    I also now remember that your ftp server is a NAS device, which most likely means you can't run Wireshark on it.  Can you check and see if it (the NAS device) has shell access?  If so, assuming it is Linux based, you may want to see if you can run tcpdump.  You can do a packet capture with tcpdump and then transfer the file to another computer and use wireshark to look at the trace.

    However, thinking about  it a little more, if you have shell access to the NAS you might be able to just issue netstat commands to see if you can see an inbound connection attempt to any of the ports in the 55536 - 56559 range.
    LVL 2

    Assisted Solution

    Do you see any TLS connection attempts in the ProFTP server logs? If so it might help to provide those as well. It may be a firewall issue, but it would be helpful to see this as well.

    I would also suggest restarting the ProFTPd service from the command line, and check the console or the logs for any errors in the config files that the service reports. I'm primarily thinking that it would be good to verify that ProFTPd isn't having any problems with the TLS/SSL configuration settings.

    Author Comment

    I think my router is to limited to support ftp with tls/ssl

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
    Please see preceding article here: Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
    Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now