Troubleshooting FTP PASV Mode Connection Timeouts in wget Transfers Between Linux and Windows Servers


12 views

When executing wget -m ftp://username:password@sourceserver.com between Linux and Windows FTP servers, the connection fails after PASV command with random high-numbered port timeouts. This typically indicates a passive mode FTP configuration issue where the server's IP/port combination isn't properly accessible.

The symptom suggests one of these scenarios:

  • The Windows FTP server announces its internal IP in PASV response
  • Intermediate firewall blocks the passive port range
  • NAT translation isn't properly configured
# First verify basic connectivity:
telnet sourceserver.com 21
# Then check passive mode manually:
USER username
PASS password
PASV
# The server responds with (xx,xx,xx,xx,yy,yy) - first 4 are IP, last 2 calculate port

Option 1: Force active mode (not recommended for security):

wget --no-passive-ftp -m ftp://user:pass@sourceserver.com

Option 2: Specify IP in passive mode (server-side fix):

On Windows IIS FTP server:

# Set external IP in FTP Firewall Support:
appcmd set config /section:system.ftpServer/firewallSupport 
  /externalIp4Address:"your.public.ip"

Option 3: Client-side workaround:

wget --ftp-passive --header="Host: sourceserver.com" 
  --ftp-user=user --ftp-password=pass 
  ftp://sourceserver.com

For complex network setups, packet capture helps identify where connections drop:

tcpdump -i any -w ftp_debug.pcap host sourceserver.com
# Analyze with Wireshark later
  • Verify passive port range in Windows FTP settings matches firewall rules
  • Check if FTP client is behind same NAT as server
  • Test with different clients (lftp, curl) for comparison

When transferring files between servers using wget -m with FTP protocol, the connection fails after issuing the PASV command. The error typically shows:

==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> ... couldn't connect to xxx.xxx.xxx.xxx port 1128: Connection timed out

The issue stems from FTP's passive mode operation:

  • Client connects to server's command port (21)
  • Server responds with IP:port combo for data connection
  • Firewalls/NAT often block these ephemeral ports

For Microsoft FTP servers (IIS):

# Check Windows firewall rules
netsh advfirewall firewall show rule name=all | find "FTP"

# Verify FTP Service settings:
1. Open IIS Manager
2. Navigate to FTP Firewall Support
3. Check "External IP Address" and port range

Option 1: Force active mode (not recommended for security)

wget --no-passive -m ftp://user:pass@host

Option 2: Specify port range (if server allows)

wget --ftp-passive-ports=5000-5100 -m ftp://user:pass@host

Option 3: Use alternative protocols (recommended)

# Using rsync over SSH
rsync -avz -e ssh user@source:/path/ /local/path/

# Using lftp (handles PASV better)
lftp -c "open ftp://user:pass@host; mirror --parallel=5 /remote/path /local/path"

Check if ports are actually open:

# On Linux client (replace port number)
telnet sourceserver.com 1128
nc -zv sourceserver.com 1128-1130

# On Windows server:
Test-NetConnection -ComputerName clientIP -Port 1128

For production environments:

  • Configure FTP proxy with fixed data ports
  • Implement SFTP/SCP instead of FTP
  • Use managed file transfer solutions like Axway or GoAnywhere

Remember that modern systems should phase out plain FTP due to security concerns. The industry standard has moved towards SSH-based protocols or managed file transfer solutions with proper auditing and encryption.