Failed to retrieve directory listing from encrypted FTP server

ClintonK used Ask the Experts™
I've changed the configuration of FTP on my Synology NAS from unencrypted to encrypted.
When I now attempt to connect using Filezilla the directory listing never appears:
Status:	Connecting to XXX.XXX.XXX.XXX:21...
Status:	Connection established, waiting for welcome message...
Status:	Initializing TLS...
Status:	Verifying certificate...
Status:	TLS connection established.
Status:	Logged in
Status:	Retrieving directory listing of "/My_Remote_Directory"...
Command:	CWD /My_Remote_Directory
Response:	250 CWD command successful.
Command:	TYPE I
Response:	200 Type set to I.
Command:	PASV
Response:	227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,242)
Command:	MLSD
Error:	Connection timed out after 20 seconds of inactivity
Error:	Failed to retrieve directory listing

Open in new window

I've set Filezilla to use Passive transfer mode

My NAS settings are NAS Settings
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Engineer
Distinguished Expert 2018
FTP requires 2 connections: 1 command stream and 1 data stream.
To allow the datastream along a firewall the command stream needs to be unencrypted... ergo FTP across firewalls is a pain.
Either insecure because passwords are not encrypted or secure and impossible to get data accross.
So your best bet would be to use SCP/SFTP based on SSH tunnels.  or have Site-Site connection using IPSEC and have a flat network that is secure as well.

SSH tooling for windows can use WinSCP (and Putty for shell access). For Unix/Linux just ssh has all the components to be used.


The VPN option sounds like a runner.
Both locations have a fixed IP address  so I guess that helps. I have two Draytek routers; one in the Office and one at Home.
Do I just configure the Home router as a VPN Server and the Office as a VPN Client and then use unencrypted FTP at the Office  with the LAN address of the NAS server at Home?
All other traffic from the Office that doesn't use a Home LAN IP address will just go off out to the Internet as it does now?
nociSoftware Engineer
Distinguished Expert 2018

You choose one to be VPN server, the other VPN client.
Use AES & SHA 256 if possible. 3DES/MD5 is more or less obsolete now.
With draytec it is a fairly straight forward  fill out  forms exercise.
Yes only a route to the remote address range for the tunnel will be created.


Managed to configure Draytek VPN server on 2860.
Rather messed up configuring VPN Client on 2960 -  managed to knock out the local LAN. Currently arranging another out of hours session to have another attempt.
Will report back.


I've configured a site to site tunnel and reverted back to ordinary FTP.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial