FTP Active vs Passive Mode — ACL Blocking FTP Data Channel
Presenting Symptom
FTP client can establish control connection and authenticate, but data transfer fails with timeout or '425 Can't open data connection' error.
Network Context
A small branch office with a Cisco 4321 ISR router running IOS XE 16.9. The router has an ACL applied to the WAN interface (GigabitEthernet0/0/0) that permits FTP control port (TCP/21) but blocks high ports. The FTP server is on the WAN side, and the client is on the LAN side. The client uses FTP active mode by default.
Diagnostic Steps
Check FTP client configuration and test connectivity
show running-config | include ftpftp passive ftp mode passive
If 'ftp passive' is configured, the client uses passive mode. If not, it uses active mode. In this scenario, no passive command is present, so active mode is used.
Verify ACL on WAN interface
show access-lists OUTBOUND_ACLExtended IP access list OUTBOUND_ACL
10 permit tcp any any eq 21
20 permit tcp any any eq 20
30 deny ip any anyThe ACL permits FTP control (21) and FTP data (20) ports, but active mode data connections use a random high port (client-side) and the server connects back to that port. The ACL denies all other traffic, blocking the server's return connection.
Check if FTP data channel is being blocked
debug ip packet detailIP: s=10.0.0.1 (GigabitEthernet0/0/0), d=192.168.1.100, len 48, access list OUTBOUND_ACL denied
The debug shows packets from the FTP server (10.0.0.1) to the client (192.168.1.100) being denied by the ACL. This confirms the data channel is blocked.
Check FTP mode on client
show ftpFTP client configuration: mode: active
The client is using active mode. In active mode, the server initiates the data connection to a random port on the client, which is blocked by the ACL.
Root Cause
The ACL on the WAN interface permits only TCP ports 20 and 21, but in FTP active mode, the server initiates a data connection from port 20 to a random high port on the client (above 1023). The ACL denies this return traffic, causing the data transfer to fail.
Resolution
Verification
After applying 'ftp passive', test FTP transfer again. Use 'show ftp' to confirm mode: ``` show ftp ``` Expected output: ``` FTP client configuration: mode: passive ``` Then perform an FTP get/put and verify successful data transfer.
Prevention
1. Use passive FTP mode by default on clients to avoid inbound connections. 2. Design ACLs to permit established connections (using 'established' keyword) if active mode is required. 3. Consider using application-layer gateways (ALGs) or stateful inspection to handle FTP dynamically.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests understanding of FTP active vs passive mode and how ACLs affect traffic. Expect multiple-choice questions asking which mode is affected by an ACL blocking high ports, or troubleshooting questions where you must identify that an ACL is blocking the data channel. Key fact: In active FTP, the server initiates the data connection to the client; in passive, the client initiates both.
Exam Tips
Remember: Active FTP uses two connections: control (client->server port 21) and data (server->client from port 20). Passive FTP uses control and data both initiated by client.
The 'established' keyword in ACLs permits TCP packets with the ACK or RST bit set, which can allow return traffic for active FTP.
Know that 'ftp passive' command on Cisco IOS enables passive mode for the FTP client.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions