SOLVED FTP Connects but Timeout with Error Failed to retrieve directory listing

[Success1]

We are in the process of setting up a new server and anytime we try to connect via FTP we get a message stating a successful login, but the connection can not get a directory listing.

We have tried using the default cPanel user and tried setting up another test FTP account but all ends in the below Error Messsage.

Status:    Disconnected from server
Status:    Resolving address of *****
Status:    Connecting to **.**.**.**:21...
Status:    Connection established, waiting for welcome message...
Status:    Logged in
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is your current location
Command:    TYPE I
Response:    200 TYPE is now 8-bit binary
Command:    PASV
Response:    227 Entering Passive Mode (**,**,**,**,176,105)
Command:    MLSD
Error:    The data connection could not be established: ETIMEDOUT - Connection attempt timed out
Error:    Connection timed out after 40 seconds of inactivity
Error:    Failed to retrieve directory listing
Status:    Disconnected from server
Status:    Resolving address of *****
Status:    Connecting to **.**.**.**:21...
Status:    Connection established, waiting for welcome message...
Status:    Logged in
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is your current location
Command:    TYPE I
Response:    200 TYPE is now 8-bit binary
Command:    PASV
Response:    227 Entering Passive Mode (**,**,**,**,118,88)
Command:    MLSD
Error:    The data connection could not be established: ETIMEDOUT - Connection attempt timed out
Error:    Connection timed out after 40 seconds of inactivity
Error:    Failed to retrieve directory listing

 

[mtindor]

You should follow the directions on cPanel's site for enabling Passive Mode FTP support on the server.

How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation

[removed outdated instructions]

Mike

 

[cPanelMichael]

Hello,

Yes, as mentioned in the previous post, you should be able to follow the instructions on the following document to address the problem:

How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation

Starting with version 60, the cPanel installation process will automatically enable passive mode and ensure the required ports are open as part of the standard firewall configuration.

Thank you.

 

[Ally]

Hello,

Yes, as mentioned in the previous post, you should be able to follow the instructions on the following document to address the problem:

How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation

Starting with version 60, the cPanel installation process will automatically enable passive mode and ensure the required ports are open as part of the standard firewall configuration.

Thank you.

I am having these exact same problems. I have tried various things such as work with the firewall, and attempt to change to passive mode. When I am in the Cpanel, looking at etc. file I do not see the files I am supposed to be working with and editing (I read the above suggested documentation). After doing a wizard configuration in my FTP it says I MUST set FTP to passive mode, still having troubles as to how I do that.

Thoughts?

 

[cPanelMichael]

Hello @Ally,

Do you have root access to the system? If so, you need to access the server via the command line as the "root" user in order to make the documented changes to the Pure-FTPd configuration file.

Thank you.

 

[Mario Rocha]

ports are opened in the firewall. Everything was working fine until the last update for cPanel.

 

[Dave Smith]

Run in terminal as Root:

/sbin/modprobe ip_conntrack_ftp

 

[cPanelMichael]

ports are opened in the firewall. Everything was working fine until the last update for cPanel.

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[kwdamp]

You should follow the directions on cPanel's site for enabling Passive Mode FTP support on the server.

How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation

In case you don't want to read that, below is what I do.

You'll want to make sure you have Passive Mode FTP support enabled by uncommenting the appropriate line in /etc/pureftpd.conf and then making sure those ports are open in your firewall.

1. Edit /etc/pureftpd.conf

Uncomment the below line and save /etc/pureftpd.conf

PassivePortRange 30000 50000

2. Run /scripts/restartsrv_pureftpd to restart pureftpd

3. Make sure your firewall is allowing incoming connections in the PassivePortRange

If you are using CSF, look in /etc/csf/csf.conf for a line starting with TCP_IN =

TCP_IN = "20,21,22,25,26,53,80,110,113,143,443,465,587,967,993,995,2077,2078,2082,2083,2086,2087,2095,2096,30000:35000"

Notice how the allowing of ranges of ports is set up in CSF - you use 30000:35000.

4. Run csf -r to apply the CSF config change

5. In your FTP client make sure you are using Passive mode FTP. I never do this. But I know my firewall on my PC will not block outbound connections from my FTP client. If you aren't sure, then on your PC you will want to force passive mode.

Mike

Had the same issues, and this fixed it perfectly. Thank you for taking the time to type this out.

The Passive Port range was there in pure-ftpd.conf from the start, though a slightly higher range.
But the ports were NOT open in CSF's TCP_IN.

I added them and it worked immediately. My only question is: was opening the ports some kind of security risk? If not, why were they not there (listed) in the first place?

 

[mtindor]

Had the same issues, and this fixed it perfectly. Thank you for taking the time to type this out.

The Passive Port range was there in pure-ftpd.conf from the start, though a slightly higher range.
But the ports were NOT open in CSF's TCP_IN.

I added them and it worked immediately. My only question is: was opening the ports some kind of security risk? If not, why were they not there (listed) in the first place?

Any time you have to open a port for inbound/outbound access, the cost of doing so needs to be weighed. Because some admins might not allow FTP or some environments might not allow TCP 20 through corporate firewalls, and because people may set their own preference for passive ports, Chirpy probably figured it was best that the admin actually add the passive ports manually rather than have CSF actually try and guess. Just a hunch.

If you are a server admin who allows FTP access, then you almost certainly will want to make sure that passive mode is supported.

I'm glad the post helped you out!

M

 

[Samet Chan]

Hi @cPanelMichael , @mtindor ,

I can still connect to FTP server "Pure-FTP", But I tried to look this and any tutorial won't help. I'd like to enable Pure-FTP firewall to allow IP. I checked in CSF Firewall TCP_IN: there is no for a port in FTP `49152 65534`. I'm confused so. I need to enable FTP firewall to allow IP well.

 

[cPanelMichael]

I'd like to enable Pure-FTP firewall to allow IP. I checked in CSF Firewall TCP_IN: there is no for a port in FTP `49152 65534`. I'm confused so. I need to enable FTP firewall to allow IP well.

You'd need to add the port range at the end of the existing TCP_IN line. For example:

49152:65534

Thank you.

 

[Samet Chan]

You'd need to add the port range at the end of the existing TCP_IN line. For example:

49152:65534

Thank you.

Solved problem. Thanks!

Status:    Connecting to xxx.xxx.xxx.xx:21...
Status:    Connection established, waiting for welcome message...
Status:    Initializing TLS...
Status:    Verifying certificate...
Status:    TLS connection established.
Status:    Logged in
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is your current location
Command:    TYPE I
Response:    200 TYPE is now 8-bit binary
Command:    PASV
Response:    227 Entering Passive Mode (xxx.xxx.xxx.xx,235,111)
Command:    MLSD
Error:    The data connection could not be established: ECONNREFUSED - Connection refused by server
Error:    Connection timed out after 20 seconds of inactivity
Error:    Failed to retrieve directory listing
Status:    Disconnected from server

Using from VPN test it, they will not let connect another IP from SSH/SFTP, FTP it's working now.

 

[cPanelMichael]

Solved problem. Thanks!

You're very welcome. I'm glad to see that helped.

Using from VPN test it, they will not let connect another IP from SSH/SFTP, FTP it's working now.

Please open a new thread if you are facing a separate issue with the SSH/SFTP service.

Thanks!

 

[Samet Chan]

You're very welcome. I'm glad to see that helped.



Please open a new thread if you are facing a separate issue with the SSH/SFTP service.

Thanks!

Not really, any IP random will not allow connecting to our server. It's working on firewall added for port SFTP/FTP, SSH. You just helpfully me.

 

[Benjamin D.]

Same problem as described in OP, tried the solution provided on here (tough I only found a /etc/pure-ftpd.conf file, not a /etc/pureftpd.conf file like the solution stated) aand even tough the contents of that conf file was adjusted to PassivePortRange 30000 50000 and that CSF has the TCP_IN [...]30000:50000 rule and that both CSF and Pure-FTPd services were restarted, my FTP client still tries to handshake to a 60000-ish port and fails.

I also saw that since WHM 60.0 you have to use these instructions. I tried them as well and it's still the same: How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation

What's going on with WHM 72.0 ?

 

[cPanelMichael]

Hello @Benjamin D.,

Can you post the output from the following command?

grep PassivePortRange /var/cpanel/conf/pureftpd/local

Thank you.

 

[Benjamin D.]

PassivePortRange: 30000 50000

 

[Benjamin D.]

I mitigated the issue by opening every TCP_IN, TCP_OUT, IP6_IN and IP6_OUT... Yes, to have it working, it would seem as tough I actually need the OUT ports unlocked too. Not sure why, but now it works reliably... thanks to those tens of thousands of open ports :-/

 

[cPanelMichael]

I mitigated the issue by opening every TCP_IN, TCP_OUT, IP6_IN and IP6_OUT... Yes, to have it working, it would seem as tough I actually need the OUT ports unlocked too. Not sure why, but now it works reliably... thanks to those tens of thousands of open ports :-/

Hello @Benjamin D.,

You shouldn't have to enable those ports for outgoing connections to allow users to access FTP (via passive mode) on your server from their FTP clients. Have you tried closing the outgoing ports again and confirming that FTP stops working?

Thank you.