FTP Connection Timeout After MLSD Command: Debugging Network and Client Issues


2 views

When your FTP client hangs after sending the MLSD command (RFC 3659) while listing directories, you're facing a protocol-level handshake failure. The MLSD command retrieves machine-readable directory listings, and timeout at this stage indicates either:

  • Network filtering of EPSV/PASV responses
  • Firewall blocking high ports (49152-65535 in passive mode)
  • IPv6 misconfiguration (if both client/server support IPv6)

First, verify basic connectivity using telnet:

telnet ftp.example.com 21
Trying 192.0.2.1...
Connected to ftp.example.com.
220 FTP Server Ready
USER your_username
331 Password required
PASS your_password
230 User logged in
EPSV
229 Entering Extended Passive Mode (|||49154|)

If the EPSV response hangs, your network is likely blocking the passive port range.

For FileZilla, add these custom settings in filezilla.xml:

<Settings>
  <Option name="Limit ports">true</Option>
  <Option name="Port range">50000-50100</Option>
</Settings>

Or force active mode with:

import ftplib
ftp = ftplib.FTP('ftp.example.com', 'user', 'pass')
ftp.set_pasv(False)  # Force active mode
ftp.retrlines('LIST')

For ASUS routers, add iptables rules:

iptables -A INPUT -p tcp --dport 50000:50100 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 50000:50100 -j ACCEPT

Consider downgrading to legacy LIST command by creating a .filezilla file with:

<FileZilla3>
  <Settings>
    <Setting name="Use MLSD">0</Setting>
  </Settings>
</FileZilla3>

When your FTP session dies immediately after the MLSD command (RFC 3659) while other commands work fine, we're typically looking at one of these scenarios:

// Sample FTP command flow showing the failure point
220 FTP Server Ready
USER myusername
331 Password required
PASS ********
230 Login successful
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
 MLST size*;modify*;type*;perm*;unique*;lang*
211 End
PWD
257 "/" is current directory
TYPE I
200 Type set to I
PASV
227 Entering Passive Mode (192,168,1,100,195,55)
MLSD  // ← Timeout occurs here

Before blaming the client, let's gather concrete evidence:

  • Packet capture: Run tcpdump -i any port 21 or port 20 -w ftp_capture.pcap
  • Manual command test using telnet or nc:
telnet ftp.example.com 21
Trying 203.0.113.45...
Connected to ftp.example.com.
220 FTP Server Ready
USER anonymous
331 Guest login ok, send your complete email address as password
PASS guest@
230 Login successful
MLSD

When standard fixes fail, try these advanced configurations:

# FileZilla.xml configuration snippet
<Setting name="Limit ports">1</Setting>
<Setting name="Limit ports offset">60000</Setting>
<Setting name="Disable MLSx">1</Setting>  // Critical for MLSD issues

# Or in .lftp/rc:
set ftp:use-mlsd off
set net:connection-limit 5

For MikroTik routers experiencing this issue:

/ip firewall filter
add chain=forward action=accept protocol=tcp dst-port=49152-65535 \
    comment="FTP passive mode high ports"
add chain=forward action=accept connection-state=related,established

For Linux iptables:

iptables -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 49152:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Oddly enough, adjusting TCP window sizes often resolves MLSD-specific timeouts:

# Linux sysctl adjustments
echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.conf
echo "net.core.rmem_max = 16777216" >> /etc/sysctl.conf
echo "net.ipv4.tcp_rmem = 4096 87380 16777216" >> /etc/sysctl.conf
sysctl -p

# Windows registry fix (requires admin):
reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v TcpWindowSize /t REG_DWORD /d 64240 /f