Server sent passive reply with unroutable address when connecting to FTP site with FileZilla

certificate routing ftp tls

This is old question but thought it may help other. I have a similar issue and mentioned by @HBrujin I have correct pasv_address specified as well but still having similar message appearing on Filezilla.

First of all find out what IP address you are getting as PASV command by enabling debug mode in FileZilla and you may see line like below

Response:   227 Entering Passive Mode (0,0,0,0,4,7).

I was hoping my public address instead of 0.0.0.0 as I have already specified pasv_address. Later on realized that it was due to listen_ipv6=YES setting and pasv_address has IP4. Just add change configuration to 

#listen_ipv6=YES
listen=YES

resolved my issue.


When the client is initiating a data transfer, it asks the FTP server, where to connect to. The IP address that you server provides is likely its internal address on its network, rather than an external IP address that can be used by the client. It's an incorrect configuration on the server-side.

But as this is a quite common misconfiguration, many FTP clients, including FileZilla, can workaround it. They simply ignore any IP address the server provides, if it's unroutable from the client's network location, and use an FTP server address instead. That's what happened.

See my recent answer for explanation of the passive mode architecture.

Regarding the certificate accepting: As you did not share with us, what was the reason given by FileZilla to ask you to accept the certificate, we cannot really help you.


Looks at first glance as a NAT issue with the FTP protocol helper failing because of the TLS encryption and I would expect that to become a firewall problem as well.

Some background here in an older answer of mine.

The solution is probably to fix the passive TCP port range that FTP over SSL can use, have the FTP server advertise the external IP-address rather than the actual ip-address (the pasv_address directive in VSFTPD) and to create static NAT rules for those ports.

Related

home dir and shell for Active Directory authenticated users
What does dis=NONE mean in an email's Authentication-Results header?
How to remotely detect windows has completed patch configuration after reboot
RunAs netonly with credentials saved
Is there any way to provision bare-metal with Packer?
bind9 does not resolve dnssec correctly
Baffling Memory leak. What is using ~10GB of memory on this system?
How to find out when an EC2 instance was shutdown?
Keepalived send gratuitous ARP periodically
apt-key add on Debian Stretch: no valid OpenPGP data found
Move a file and leave a soft link behind
How do you compute the AC capacity needed for a server room?