When troubleshooting FTP on Windows Server 2008 R2, the fact that localhost connections work while remote connections hang at "150 Opening ASCII mode" strongly indicates a firewall or data channel configuration issue. This behavior occurs because:
// Localhost bypasses network stack
ftp> open localhost // Works
ftp> open ftp.example.com // Hangs
While ports 20 (active mode data) and 21 (control) are necessary, passive mode requires additional ports:
- Ephemeral ports (49152-65535 by default on Windows)
- Specific passive port range if configured in IIS
Use this PowerShell command to check Windows Firewall rules:
Get-NetFirewallRule | Where-Object {
$_.Direction -eq "Inbound" -and
$_.Enabled -eq "True"
} | Format-Table Name,DisplayName,Enabled,Profile
For IIS 7 FTP server, ensure these settings:
<system.ftpServer>
<firewallSupport>
<externalIp4Address>YOUR_PUBLIC_IP</externalIp4Address>
<dataChannelPortRange min="5000" max="6000"/>
</firewallSupport>
</system.ftpServer>
And configure Windows Firewall with:
netsh advfirewall firewall add rule name="FTP Passive Ports" dir=in action=allow protocol=TCP localport=5000-6000
When network monitoring tools fail, try these approaches:
- Client-side tracing: Enable logging in your FTP client
- Server-side captures:
netsh trace start scenario=NetConnection capture=yes tracefile=C:\temp\ftptrace.etl # Reproduce issue netsh trace stop
For EC2 instances, you must:
- Configure Security Groups for passive port range
- Set proper Source/Destination checks
- Consider using Elastic IP for consistent external IP
Example AWS CLI command:
aws ec2 authorize-security-group-ingress \
--group-id sg-903004f8 \
--protocol tcp \
--port 5000-6000 \
--cidr 0.0.0.0/0
If passive mode continues to cause issues:
// Force active mode in FTP client
ftp> quote PORT 192,168,1,100,7,138
// Or use passive mode with explicit port
ftp> quote PASV 5000
For permanent solutions, consider switching to SFTP or FTPS which have cleaner firewall traversal characteristics.
When setting up FTP on Windows Server 2008 R2 with IIS7, many administrators encounter the infamous hang at "150 Opening ASCII mode data connection". This typically occurs when:
- Using external FTP clients (FileZilla, WinSCP, etc.)
- Trying to list directory contents with DIR/LS commands
- Connecting via public IP/hostname while localhost works
The key observation here is that localhost connections work while external ones fail. This indicates:
1. FTP service is running correctly (proven by localhost success) 2. Control channel (port 21) is accessible (initial connection succeeds) 3. Data channel negotiation fails (happens after 150 response)
Modern FTP clients default to passive mode, which requires additional ports:
# IIS FTP Server Passive Port Range Configuration (Command Line)
appcmd set config /section:system.ftpServer/firewallSupport
/lowDataChannelPort:50000
/highDataChannelPort:50100
You must open these ports in both Windows Firewall and AWS Security Groups.
For Windows Firewall, run these PowerShell commands:
# Open passive port range
New-NetFirewallRule -DisplayName "FTP Passive Ports" -Direction Inbound
-LocalPort 50000-50100 -Protocol TCP -Action Allow
# Verify IIS FTP binding (PowerShell)
Get-WebBinding -Protocol "ftp" | Format-List *
To diagnose the exact failure point, use these FTP client commands with verbose logging:
ftp> open ftp.yourdomain.com
ftp> debug on # Enable verbose logging
ftp> passive # Explicitly set mode
ftp> dir # Should now show port negotiation details
Use Wireshark with this capture filter to isolate FTP traffic:
tcp port 21 or (tcp port >= 50000 and tcp port <= 50100)
Look for:
- PORT/PASV command exchange
- TCP SYN packets without corresponding ACK
- Reset (RST) packets indicating blocked connections
If persistent issues remain:
- Force Active Mode in client settings (not recommended for security)
- Configure Data Channel Port explicitly:
ftp> quote PORT 192,168,1,100,200,156
- Switch to FTPS (FTP over SSL) which often bypasses firewall issues