Failed to retrieve directory listing filezilla connecting to IIS FTP behind NAT

Just recently I was setting up IIS with FTPS and had a bear of a time getting it to work. Both because I needed to learn a bit about FTP and Microsoft’s scheme for getting things configured wasn’t exactly what I’d call intuitive. If you’re in the same place I was you received an error that looked like this:

Line 1: Command: PASV
Line 2: Response: 227 Entering Passive Mode (192,168,1,2,211,235)
Line 3: Status: Server sent passive reply with unroutable address. Using server address instead.

and/or

Problem #2:

Command: PASV
Response: 227 Entering Passive Mode (<your public ip here>,211,117).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out
Error: Failed to retrieve directory listing

So you’re actually running up against two problems here that if you haven’t decided to delve into the annals of FTP, you probably don’t know how to deal with (or at least I didn’t). If you already understand FTP or don’t give a crap about the problem then skip this and go to Fixing Problem #1.

Understanding The Problem – FTP Passive Mode

In FTP passive mode your client node will contact the FTP server on port 21, which is what’s called the command channel. If your client is using passive mode (the usual default) it will at some point send the command PASV alerting the server that it wants to enter passive mode. The server will send a response message like ┬áthis:

Response: 227 Entering Passive Mode (x,x,x,x,y1,y2)

Where the x’s are the server’s IP address and the y’s are two numbers from 0-255. This line is sent to the client, telling the client what IP address to connect to and what port to use for the data channel. The port to use may not be so obvious. The port is actually calculated via the following formula y1*256+y2. You may also not know what the data port is. FTP uses two channels – a command port and a data port. The command port is used to send commands such as LIST, PASV, PWD, etc and the data channel is the channel actually used to transfer your data.

Understanding Problem #1:

If you have the above problems than you probably have seen a line similar to this in your FTP output and if you haven’t, it’s there just look again :-D:

Line 1: Command: PASV
Line 2: Response: 227 Entering Passive Mode (192,168,1,2,211,235)
Line 3: Status: Server sent passive reply with unroutable address. Using server address instead.

Now that you know that the 192,168,1,2 is an IP address (explanation above) it’s probably not hard to figure out why you’re being told it’s unroutable. 192.168.1.2 (or whatever one you’re using) is not a publicly routable address. Your server is sending its response based on the local interface address rather than the external address of your NAT router.

Fixing Problem #1:

1) Open IIS Manager
2) Expand your sites and click your FTP site as pictured below:

step1

3) Double click FTP Firewall Support
4) Under “External IP address of firewall” enter your publicly routable IP address

step2

5) Click Apply

Understanding Problem #2:

Let’s take a look back at our problem output.

Line 1: Command: PASV
Line 2: Response: 227 Entering Passive Mode (192,168,1,2,211,235)
Line 3: Status: Server sent passive reply with unroutable address. Using server address instead.

Now after you’ve implemented the fix above that should have bailed you out of one problem. Chances are you’re still getting something like this:

Command: PASV
Response: 227 Entering Passive Mode (<your public ip here>,211,117).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out
Error: Failed to retrieve directory listing

If you read the original explanation for passive FTP you may already know where I’m going with this. In this example the 211 and 117 are plugged into the equation y1*256+y2 to determine the data port the server will open on its side. In our case, you have 211*256+117=54133. Chances are you forwarded port 21 on your router to the server and maybe even port 20, but you probably didn’t forward port 54133. So when your client goes to connect to port 54133 the router silently drops the connection.

Fixing Problem #2:

You have to tell IIS to limit the ports that it will tell the client to use for the data channel and then forward those ports.

1) Click on the SERVER node in IIS manager. Not the site node. Under the server node click FTP firewall support as in the below picture:

step12

 

2) Enter the port range you want IIS to use for the data port.

step13

 

3) Click apply
4) Now here’s the fun part where Microsoft really did a great job of making things intuitive. You have to restart the Microsoft FTP service under the services manager.

step14

 

The changes to the port range will not take effect until you restart this service!

Hope this helps.

38 thoughts on “Failed to retrieve directory listing filezilla connecting to IIS FTP behind NAT

  1. Pingback: How To Fix Filezilla Error Connection Timed Out in Windows

  2. Pingback: How To Fix Filezilla Error Connection To Server Lost in Windows

  3. Pingback: How To Fix Filezilla Error Passive Mode in Windows

  4. Reply

    DeRidder LA Real Estate, LLC

    You saved us some serious time configuring FTP. Thank you so much.

    1. Reply

      grantcurell@gmail.com Post author

      No problem, I’m glad it helped!

  5. Reply

    Anonymous

    Thanks! I was looking like crazy before I finally found this post!

    1. Reply

      grantcurell@gmail.com Post author

      I’m glad you were able to find it! I put it up after extensive Googling didn’t turn up results for me as well.

  6. Pingback: Free Piano

  7. Reply

    KS

    The service restart tip was a godsend

  8. Pingback: [SOLVED] Comodo v7 blocking HTTP/S and FTP/S on Windows 8.1 IIS 8.5 – /* BeejBlog */

  9. Reply

    Anonymous

    Thank you so much…

  10. Reply

    Anonymous

    Thank you so much, very good…..

  11. Reply

    Paul

    So, how does this work if the server is in Azure?

  12. Reply

    policypressblog

    Didn’t resolve my problem. Same error persists.

  13. Reply

    Ted

    This is essential when setting up FTP on Windows virtual machine on Google Cloud Platform. Thanks so much!

  14. Reply

    gonzalezx600

    the problem still happends for me!

  15. Reply

    carl

    Service restart fixit, 3 hours trying. Then found your answer. Thanks

  16. Reply

    johnnydawkins

    This worked great! Haven’t found many other FTP for Google Cloud Platform resources out there, so thank you.

    I also got a “425 Can’t open data connection for transfer of “/” error, which was resolved by going to windows server firewall settings and adding an inbound exception for FileZilla.

  17. Reply

    Sergio Moura

    Solved perfectly on servers behind NAT. But I’m still having problem #2 on a server that doesn’t seem to be behind a NAT. How Is That possible?

    1. Reply

      grantcurell@gmail.com Post author

      Unfortunately, it’s possible for any number of reasons. All that the error message from problem #2 is telling you is that the connection failed. So your problem could be anything, which results in a failed connection. The first thing I would check is the server’s host based firewall, but if you have a network based firewall in front of it that could also cause you problems.

      Outside of blocking, I’d start from the ground up. Open up wireshark and watch to see where things fail. In order you should see something like this:

      1) TCP session setup between client and server
      2) Client sends passive command to server port 21
      3) Server responds telling client what ports to connect to
      4) Client attempts to setup a data connection on the ports the server responded with

      For you to get the error message, chances are it fails during one of those steps.

  18. Reply

    Matthew Fritz

    Can’t thank you enough for this. It is exactly what I needed for my Amazon AWS Instance.

  19. Reply

    Emanuel Alexandre Tavares

    Hi,

    I did everything, but not solve the problem yet.
    To me show “logged in”, as you can see:

    Status: Connecting to x.x.x.x:21…
    Status: Connection established, waiting for welcome message…
    Status: Insecure server, it does not support FTP over TLS.
    Status: Logged in
    Status: Retrieving directory listing…
    Command: PWD
    Response: 257 “/” is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PASV
    Response: 227 Entering Passive Mode (x,x,x,x,4,4).
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Error: Connection timed out after 30 seconds of inactivity
    Error: Failed to retrieve directory listing

    On IIS the connection appears.

    Thanks for any suggestion.

    Emanuel

  20. Reply

    Anonymous

    Wow thank you so much!! Serisouly saved me a couple of days!! Thanks!

  21. Reply

    Anonymous

    Yeah! thanks! nedd-to-restart ftp service was really tricky, I tried to fix FTP for few days without it!

  22. Reply

    Torchqq

    Still having the same problem with my FTPS connection with port 990, and the port is open on my firewall and my windows firewall is off, how can I resolve this and make it work?

  23. Pingback: Setting up FTPS server for VCSA backup | vmninja

  24. Reply

    Torchqq

    Having the same problem, been kicking my head for weeks now, inside my network it works with port 990, but when employee from the outside tries to connect it gives me that error, we did a mapping of the server IP for the outside to enter it, cant work,same error here

  25. Reply

    Anonymous

    Thanks so much, this guide fixed my problem too.

  26. Pingback: Error Failed To Retrieve Directory Listing Iis7 – mp3pretraga.com

  27. Pingback: Homepage

  28. Pingback: Bola tangkas online

  29. Pingback: agen judi bola

  30. Pingback: DMPK Services

  31. Pingback: car crash compilation

  32. Pingback: Corporate Event Management Company in Hyderabad

  33. Pingback: implants

  34. Pingback: tooth implants in West Palm Beach Florida

  35. Pingback: Untuk peningkatan dan mengendalikan konsistensi mutu

Leave a Reply