FTP reply code 425 means the server was unable to open the data connection for a transfer. FTP uses two separate connections: the control connection (port 21) for commands and a separate data connection for file transfers and directory listings. Code 425 indicates the data channel failed. In active mode, the server tries to connect back to the client on the port specified by PORT — if the client is behind a firewall or NAT, this inbound connection is blocked. In passive mode, the client connects to the server on the port provided in the PASV/EPSV response — if that port is firewalled, the connection fails. This is one of the most common FTP errors and is almost always a firewall or NAT issue.
In active mode (PORT), the server initiates a connection back to the client on port 20. If the client is behind a firewall, NAT router, or corporate network that blocks inbound connections, the data connection fails. Switch to passive mode to fix this.
In passive mode (PASV/EPSV), the client connects to the server on a random high port. If the server's firewall only allows port 21 and does not have the passive port range open, the data connection is blocked.
The server is behind NAT and returns its private IP address in PASV responses. The client cannot connect to a private IP across the internet. The server needs to be configured to report its public IP in passive mode responses.
The client sent RETR, STOR, or LIST without first establishing a data connection mode (PORT for active or PASV/EPSV for passive). The server has no data channel to use.
If you are using active mode, switch to passive mode. Most firewalls and NAT routers allow outbound connections but block inbound. Passive mode ensures the client initiates the data connection outbound.
curl --ftp-pasv -O ftp://ftp.example.com/file.txt
If PASV returns a private IP (the server is behind NAT), use EPSV instead. EPSV only returns the port — the client connects to the same IP used for the control connection, bypassing the NAT IP issue.
Verify that both the client's and server's firewalls allow the passive mode port range (typically 1024-65535, or a configured subset). Scan a sample of ports in the range to test connectivity.
Scan PortsIf you administer the FTP server and it is behind NAT, configure it to advertise the public IP in PASV responses. In vsftpd: pasv_address=PUBLIC_IP. In ProFTPD: MasqueradeAddress PUBLIC_IP.
For Linux servers, load the nf_conntrack_ftp kernel module. This allows the firewall to inspect FTP control traffic and automatically allow the corresponding data connections.
modprobe nf_conntrack_ftp
The server is ready to transfer the file and is about to open the data connection.
The file transfer completed successfully and the data connection is being closed.
The data connection was closed unexpectedly and the file transfer was aborted.
The server is entering passive mode and has provided the IP and port for the data connection.
The server is entering extended passive mode and has provided the port for the data connection.