Troubleshooting FTP
FTP connection issues are almost always caused by firewalls or by incorrect settings in the FTP client. Work through the checks below before opening a support ticket. In our experience, the change that caused the problem is on the customer's side, and the steps here resolve the great majority of FTP issues.
Check for Firewall Issues
Most FTP support cases trace back to the customer's or counterparty's corporate or network firewall. FTP is a frequently restricted protocol, and firewall changes can introduce problems where none existed before. FTP also has two modes, Active and Passive, which interact with firewalls differently.
IP Whitelisting
If your firewall whitelists IP addresses, confirm that every IP used by your appliance is on the list.
If your firewall administrator requires an explicit whitelist for FTP traffic, request that they allow FTP ports 21 and 990, plus data ports 40000-49999, to all IP addresses used by your appliance.
Active vs. Passive Mode
Many FTP clients let you choose between Active mode and Passive mode. ExaVault supports both, but a corporate or network firewall may block one or the other. Test both modes alongside the alternate ports above.
Connection Settings in Your FTP Client
The settings below cover the most common client-side causes of FTP failure.
Hostname
Connect with FTP or FTPS to the fully qualified domain name of your appliance. Do not include https:// at the start of the address. When your client requires an IP address, use the external IP address configured in the appliance manager.
Port
The default FTP port of 21 is blocked or interfered with by many corporate firewalls. Some FTP clients use "implicit security mode," which runs on port 990.
Timeout
When your client supports it, set the connection timeout to 60 seconds.
Retry Logic
When your client supports it, configure three connection retries at 10-second intervals. Retries allow a failed connection to one server to succeed on a different server.
Keepalives
ExaVault times out FTP sessions that have been idle for 120 seconds, to prevent unused sessions from holding server resources. Most FTP clients handle these idle timeouts without issue, completing transfers in progress and reconnecting on the next command. Some clients abort the transfer or error out on the idle timeout. When that happens, enable the client's keepalive setting (null packets or dummy commands) at an interval of 100 seconds.
How Active and Passive FTP Work
FTP uses multiple network ports to move data between client and server. One port is the Command channel; one or more ports are Data channels. The Command channel carries the FTP session controls and directory listings; the Data channels carry file contents during upload and download.
The Command channel uses a well-known port — 21 or 990 — that firewall administrators know how to open. The Data channels use random ports and are established outbound or inbound depending on the FTP mode.
Most FTP connectivity issues are caused by firewalls that allow the Command channel but block the Data channels. The symptom is that the client connects and lists directories successfully, but file transfers fail.
Active Mode
Active mode is the original FTP mode. It predates firewalls and is considered deprecated. Use it only on a Local Area Network (LAN), never when a firewall sits between the client and the server.
In Active mode, the client opens the Command channel to the server. The port depends on the FTP variant:
FTPS (implicit FTP over TLS): port
990FTPeS (explicit FTP over TLS): port
21Plain, insecure FTP: port
21
The Command channel is always established from the client to the ExaVault FTP server.
Once authenticated, the FTP server connects back to the client to open the Data channels. The client sends the server an IP address and a range of random port numbers, and the server connects to those. Active Data channels are always established from the ExaVault server to the client on a port the client chose.
Transfer commands flow over the Command channel; file contents flow over the Data channels.
Passive Mode
Passive (PASV) mode was designed for clients that cannot accept inbound connections, including clients behind firewalls or on a NAT subnet. Because firewalls and NATs are now standard, Passive mode is the recommended FTP mode.
In Passive mode, the client opens the Command channel to the server in the same way as Active mode. The port depends on the FTP variant:
FTPS (implicit FTP over TLS): port
990FTPeS (explicit FTP over TLS): port
21Plain, insecure FTP: port
21
The Command channel is always established from the client to the ExaVault FTP server.
Once authenticated, the FTP server tells the client the port range of its passive data ports. The client then opens Data channel connections to the server on random ports in that range. For ExaVault, every FTP variant uses the same Passive Data channel range:
Passive (PASV) mode: port range
21000to21050
Passive Data channels are always established from the client to the ExaVault FTP server.
Transfer commands flow over the Command channel; file contents flow over the Data channels.
Recommendations
Do not use Active mode unless there is no firewall between the FTP client and ExaVault. Always use Passive mode for FTP and FTPS connections to ExaVault.
When the client can connect and traverse directories but cannot upload or download, the Data channel is being blocked. Allow connections to the ExaVault Passive (PASV) port range through your firewall.
FTP uses the OPEN command on the Command channel to create a file before filling it with data over the Data channel. Zero-byte files appearing on upload or download mean your firewall is blocking the Data channel. Allow connections to the ExaVault Passive (PASV) port range through your firewall.
ExaVault uses fully valid and chained SSL certificates for FTPS connections. You do not need to configure your FTP client to allow insecure or self-signed certificates. When your client sees an invalid, self-signed, or expired certificate connecting to ExaVault, verify your DNS settings to confirm you are connecting to the correct IP addresses for ExaVault.
ExaVault Configuration to Check
When the checks above have not resolved the issue, confirm that the user is enabled and that the username and password are correct. In the appliance interface, enabled users show a green check and disabled users show a red X. Select a disabled user and toggle Enable/Disable to enable it.
Last updated