An FTP virtual server is configured with internal IP address 10.x.x.x on a NetScaler VPX on Amazon Web Service (AWS) server in DMZ on port 21 and the backend server with public IP address 54.x.x.x. on port 21. FTP connection works for users who are accessing the server internally, but the connection fails for users who are accessing the server externally.

This PASV response must be rewritten with the public IP address 54.x.x.x. The NetScaler appliance must pass this information as is to the client accessing it externally.
As a workaround for this issue, complete the following procedure:

1. Configure an FTP virtual server on port * and protocol ANY with backend services on port * and protocol ANY, and remove the virtual server configured with FTP protocol.

2. Add the line “pasv_address=54.x.x.x” in the /etc/vsftpd/vsftpd.conf file on the backend FTP server.

3. Run the following command from the command line interface of the backend FTP server to restart the vsftpd daemon after making the changes to file:
   /etc/init.d/vsftpd restart

The following is a sample configuration of the preceding workaround:
user-iMac:~ username$ ftp -v -d -p 54.x.x.x
Connected to 54.x.x.x.
220 (vsFTPd 2.2.2)
ftp_login: user `<null>' pass `<null>' host `54.x.x.x’
Name (54.x.x.x:username): anonymous
331 Please specify the password.
Password:
230 Login successful.
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
211-Features:
EPRT
EPSV
MDTM
PASV
REST STREAM
SIZE
TVFS
UTF8
211 End
features[FEAT_FEAT] = 1
features[FEAT_MDTM] = 1
features[FEAT_MLST] = 0
features[FEAT_REST_STREAM] = 1
features[FEAT_SIZE] = 1
features[FEAT_TVFS] = 1
got localcwd as `/Users/dalemccoon'
257 "/"
got remotecwd as `/'
ftp> quote pasv
227 Entering Passive Mode (54, x,x,x ,47,30
Before updating the vsftpd.conf file, if you run the following command, you will receive an incorrect PASV response with the internal IP address of the backend FTP server:
ftp> quote pasv
---> pasv
227 Entering Passive Mode (10,x,x,x,47,19).     
After updating the vsftpd.conf file, if you run the following command, you will receive a correct PASV response with the public IP address of the backend server:
ftp> quote pasv
---> pasv
227 Entering Passive Mode (54,x,x,x,46,249).

---

Problem Cause

FTP requests from external users get timed out, as the internal virtual IP (VIP) address 10.x.x.x is received in the PASV (passive) response as shown in the following screen shot:

The NAT firewall is not able to rewrite the IP address in the PASV response. The internal IP address received in the PASV response, times out as it is not reachable for users outside the network.

FTP connection works for users who are accessing the server internally, but the connection fails for users who are accessing the server externally. This article contains information about this issue