FTP Connectivity Issues
Almost all FTP connectivity issues are caused by firewalls. The FTP protocol uses multiple network ports in order to transfer data between a client and a server. If any of these ports are blocked then data transfer cannot occur. This issue can usually be detected when a client is able to connect to an FTP server, successfully navigate the folder structure, but is unable to upload or download files.
The FTP protocol uses multiple network ports. One network port is always used as a Command channel and one or more network ports are used as Data channels. The Command channel is used to establish the FTP connection and to issue commands to control the FTP session. This includes commands to list directories and folders on the server. The Data channels are used to transmit file contents, both for upload and download.
The Command channel usually uses a "well known port", such as 21
or 990
, and firewall administrators will understand how to open these ports on a firewall. The Command channel is always established from the client to the server.
The Data channels are always random network ports and may be established either outbound (from client to server) or inbound (from server to client) depending on the FTP mode being used.
The majority of issues are caused by the firewall not being configured to allow the Data channels to pass through.
In order to troubleshoot FTP connectivity issues we need to first understand how the Active and Passive FTP modes work.
Understanding Active Mode FTP
The original default mode of FTP is named Active mode. This mode was designed prior to the existence of firewalls and is considered an older deprecated mode. It should only be used on a Local Area Network (LAN) and never be used whenever a firewall exists between the client and the server.
In Active mode, the client will first connect to the server using the Command channel. The port being used will depend on the type of FTP being used:
- FTPS (implicit FTP over TLS) uses port
990
(default) or3990
(alternative Files.com port) - FTPeS (explicit FTP over TLS) uses port
21
(default) or3021
(alternative Files.com port) - Plain, insecure FTP on port
21
(disabled by default, but can be enabled if your business needs require it) or3021
(disabled by default, alternative Files.com port)
The Command channel is always established from the client to the Files.com FTP server using one of the above ports.
Once the connection is authenticated and authorized, the FTP server will connect back to the client using the Data channels. The client will send the server an IP address and a range of random port numbers and the server will attempt to use this IP address and those port numbers to establish Data channel connections.
The Active Data channels are always established from the Files.com FTP server to the client using a random port that was determined by the client.
When uploading or downloading, the command to initiate the transfer is sent via the Command channel but the actual file data is sent via the Data channels.
Understanding Passive Mode FTP
Passive (PASV) mode was designed for FTP clients that reside on a network that cannot receive inbound connections, such as behind a firewall or on a NAT subnet. Due to the wide proliferation of firewalls and NATs, Passive mode has become the de facto, and recommended, connection mode for FTP. In Passive mode, the Command channel is used in the same way as Active mode but the Data channels are established in the reverse direction compared to Active mode.
In Passive Mode, the client will first connect to the server using the Command channel. The port being used will depend on the type of FTP being used:
- FTPS (implicit FTP over TLS) uses port
990
(default) or3990
(alternative Files.com port) - FTPeS (explicit FTP over TLS) uses port
21
(default) or3021
(alternative Files.com port) - Plain, insecure FTP on port
21
(disabled by default, but can be enabled if your business needs require it) or3021
(disabled by default, alternative Files.com port)
The Command channel is always established from the client to the Files.com FTP server using one of the above ports.
Once the connection is authenticated and authorized, the FTP server will inform the client of the port range of its passive data ports. The client will then connect to the FTP server, using random ports in the supplied range, to establish the Data channel connections. For Files.com, all versions of FTP use the following range for Passive Data channels:
- Passive (PASV) mode uses port range
40000
to50000
The Passive Data channels are always established from the client to the Files.com FTP server using a random port in the range supplied above.
When uploading or downloading, the command to initiate the transfer is sent via the Command channel but the actual file data is sent via the Data channels.
Common Troubleshooting Tips
Do not use Active mode unless there is no firewall between the FTP client and Files.com.
Always use Passive mode for FTP and FTPS connections to Files.com.
If you can connect and traverse directories and folders, but cannot upload or download files, then the FTP Data channel is being blocked. Make sure that connections to the Files.com Passive (PASV) port range is allowed though your firewall.
FTP uses the OPEN
command via the Command channel to create a file prior to filling it with data received via the Data channel. If you see zero-byte files being created whenever you try to upload or download a file then this indicates that your firewall is blocking the Data channel. Make sure that connections to the Files.com Passive (PASV) port range is allowed though your firewall.
Files.com uses fully valid and chained SSL certificates for FTPS connections. You do not need to configure your FTP client to allow insecure or self-signed certificates in order to connect to Files.com. If your client is presented with invalid, self-signed, or expired SSL certificates when connecting to Files.com then verify your DNS settings to make sure that you are connecting to the correct IP addresses for Files.com.