425 Security: Bad IP connecting when trying to connect to ftp server behind load balancer

I have an ec2 instance with vsftp installed. The daemon is listening on port 21:

$ sudo netstat -tulpn
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1730/vsftpd  

I am able to ftp and upload files through filezilla when connecting to the instance IP address itself. However, when I add the instance to a classic load balancer and try to connect to the load balancer, I get the following error:

Command:    PASV
Response:   227 Entering Passive Mode (3,23,102,171,4,6).
Command:    LIST
Response:   425 Security: Bad IP connecting.
Error:          Failed to retrieve directory listing

The only options I changed in the vsftpd.config are the following:

listen=YES
# listen_ipv6=YES
write_enable=YES

pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=3.23.102.171

All the other options are the defaults. There is nothing else installed on the server and clearly the Security Groups allow access.

What's this error about and how can I resolve it?


I think you have tackled almost everything. But some small things might be missing.

To run vsftpd behind a load balancer you need to:

Enable passive mode and set ports:

pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048

Obviously these ports needs to be exposed on your load balancer.

Setup a pasv_address and connect to it:

You should setup a pasv_address, just like you did. But make sure:

  1. You are connecting with this address on your ftp clinet: ftp same-address-as-config
  2. If your address is a name, add pasv_addr_resolve=YES

Hope it helps.