ftp logins hang

Everything appears to be working EXCEPT for ftp.

FTP logins hang while waiting for a “connect response”. I’ve read it’s PROBABLY a problem with the firewall or routing (DNS, routing, and everything else seems to be fine for all other services). From a remote client I get

Status: Resolving address of ns2.domain.com (ns2 is a virtual web host)

Status: Connecting to xx.xxx.xxx.xx:21… (this is the right IP)

Status: Connection established, waiting for welcome message…

Error: Connection timed out

Error: Could not connect to server

BUT: when I use a LOCAL client trying to get TO the machine FROM the machine I can’t connect to I get a couple of KERBEROS messages that make me think that just perhaps the problem is somehow an authentication or ftp program setup issue:

220 FTP Server ready.

500 AUTH not understood

500 AUTH not understood

KERBEROS_V4 rejected as an authentication type

Name (ns2.domain.com:root):

Could this KERBEROS thing somehow be killing external connections? Any ideas?


Kerberos is an authentication mechanism.
Did you try connecting with ftp over the IP of the system?

If that works then you likely have a dns issue at hand.

Yeah, that doesn’t work either.

The config file is exactly the same as one on a different machine on a different network… but that machine works… so would that seem to indicate to you that the problem is the firewall settings?

if the FTP service is up…
is there anything in the iptables that indicates the port is closed or that IP’s are blocked?
is this in the config or do you actually use Kerberos?:

Use pam to authenticate (default) and be authoritative

AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c

Hi Ronald, yes. There was no nat entry for ftp. It’s fixed now. Thank you.

Can you post your fix?

I have the same issue, and I know it is firewall related as I can turn off the firewall and all works great. I would appreciate it.

In my case, I only need to add the route to the firewall, which in Cisco-speak was something like

set nat entry YourLocalIP 21 YourPublicIP 21 tcp

which on your machine could randomly look something like this in real life:

set nat entry 21 21 tcp