Troubleshooting FTP

---

Most of the time, FTP connection issues are caused by firewalls or incorrect settings in FTP software. The below steps will help you resolve these issues.

We are often met with resistance by customers who don't want to perform these steps because a given connection may have worked in the past but isn't working now. In our experience, the change that caused the problem is usually on the customer side, and that's why we'd really like you to go through and verify all of the following things before asking us for further help.

If we end up doing a Zoom call together to troubleshoot, these steps are exactly what we will do together.

On probably 9 out of 10 support calls for FTP, the root cause is a customer or customer counterparty's corporate or network firewall. FTP is very commonly blocked by firewalls, and often firewall changes can introduce new blocks that didn't previously exist. Furthermore, FTP has two separate modes, Passive and Active mode, which can interact with firewalls in unpredictable ways.

The approach should be to find a set of settings that will work for a particular network/firewall. This may vary across your user base depending on what corporate or network firewalls they find themselves behind.

Have you manually whitelisted any IP addresses anywhere? If so, verify that all of the appropriate IPs are whitelisted, not just some of them.

If your site uses a custom domain, you have two dedicated IPs that need to be whitelisted in your firewall. You can find your dedicated IPs by going to Settings > Integrations and scroll to Firewall configuration. If you have a custom domain, you also need to ensure that you are connecting to it, and not to [your_subdomain].files.com.

If you do not have a custom domain, ensure that our main IPs on this list are whitelisted, not just some of them. There are quite a lot of IPs on that list (over 80 at last count) and you need to whitelist all IPs or else you will experience failures. If whitelisting that many IP addresses is a problem for you, the solution is to move to a custom domain. This will get you a pair of IP addresses you can whitelist.

See if you need to ask for an IP whitelist. If you have not whitelisted IP addresses, maybe your firewall administrator requires this for FTP traffic. Please submit a request to your network or firewall administrator to allow FTP port 21 and 40000-50000 traffic to all of the IPs on this list. If your firewall team does not allow whitelisting port 21 traffic, ask for port 3021 instead and see the next bullet point.

Try other ports. By default, FTP is used on port 21. Files.com also supports 990, 3021, and 3990 as alternate ports. Many firewalls will allow traffic on port 3021 despite blocking it on port 21. We recommend testing this next if you have exhausted other firewall issues. In many cases, simply using the alternate port will get your corporate firewall to let the connection through.

Try toggling Active/Passive mode. Many FTP clients offer a choice of Active Mode vs Passive Mode. Files.com supports both, but your corporate or network firewall might block one or the other. We recommend testing both options in conjunction with testing the alternate ports in the above step.

The following connection settings are the next most common issues related to FTP. Please double check all of the following things:

Hostname - The hostname should be set to [your_subdomain].files.com or the custom domain for your site, if applicable. Connecting by specifying an IP address may sometimes work, and we do have customers doing this for specific reasons, but it is not officially supported.

Encryption - If supported in your client, encryption should be enabled. Some clients show this as a protocol setting, offering FTPS or FTPeS (with the "S" meaning "secure"). This means data will be encrypted in transit. If you are unable to use encryption, in your FTP client, insecure FTP without encryption must be enabled in your Files.com account.

Port - The port setting is a great way to work around corporate firewalls. The default FTP port of 21 is blocked or interfered with by many corporate firewalls. You can test port 3021 as an alternate port if you suspect possible firewall issues. Some FTP clients use "implicit security mode", which runs on port 990. In this case, we also support port 3990 as an alternative. In many cases, simply using the alternate port will get your corporate firewall to let the connection through.

Active/Passive - Many FTP clients offer a choice of Active Mode versus Passive Mode. Files.com supports both, but your corporate firewall might block one or the other. We recommend testing both options in conjunction with testing the alternate ports in the above step.

Timeout - If supported in your client, increase the connection timeout value to 60 seconds.

Retry Logic - If supported in your client, have your client attempt three connection retries at 10 second intervals. This allows failed connections contacting one server to retry the connection via a different server. Our hostnames always resolve to multiple physical server hosts in different datacenter locations. Ensure that your FTP client tries multiple IPs when available.

Keepalives - Files.com will time out FTP sessions that have been idle for 60 seconds. This is to prevent unused sessions from being left open and using server resources. Such idle timeouts are normal, and most FTP clients handle them without issue, but there are some clients that may not handle these timeouts gracefully. To prevent these idle timeouts, many clients offer a "keepalive" setting. Many FTP clients will complete transfers in progress and then will connect again upon the user issuing another command. If your client aborts a transfer or errors out due to the idle timeout message, you can implement keepalives (either null packets or dummy commands) every 30 seconds to maintain the FTP connection and avoid the timeout messages.

If you have confirmed all of the above, here are some remaining things that have caused FTP issues for some of our customers.

Verify that the username is enabled, and that the username and password are correct. Type **"**Users" in the search box at the top of every page and then click the matching result. Edit the user and verify that the Account enabled setting is turned on. Click on the Authentication tab in that user's settings, verify that the Authentication method is not set to none.

The user might have FTP disabled in their settings. Type "Users" in the search box at the top of every page and then click the matching result. Edit the user, select the Privileges tab, scroll to Protocol access section and check that FTP is enabled for the user.

If the user has Two Factor Authentication (2FA) enabled, be aware that only certain 2FA methods work with FTP. The Two Factor Authentication documentation page has more information about this. When using 2FA with FTP, you need to disable any parallelism in your FTP client, because 2FA is only valid for one connection at a time. (In a later step we will suggest maxing out the available parallelism in your client for performance. 2FA is a case where this would not apply.)

If your site or user is subject to an IP whitelist then the user must access the site from one of the whitelisted IPs from either list. To manage IP whitelists for all users, type "IP Whitelist/Blacklist" in the search box at the top of every page and then click on the matching result. To add IPs for an individual user, Type "Users" in the search box at the top of every page and then click the matching result. Edit the user, select the Authentication tab and scroll to the IP whitelists section.