Troubleshooting vsftp problem – common problems related to vsftp

– ftp: connect: Connection refused


Most likely, the vsftpd daemon isn’t running. Check /etc/vsftpd/vsftpd.conf, and if it contains “listen=YES” (without a “#” preceding it) it’s configured to run in standalone mode. Start vsftpd thusly.

– 421 Service not available
– 421 Service not available, remote server has closed connection


Check /etc/vsftpd/vsftpd.conf to see if “tcp_wrappers=YES” (without a “#” preceding it) is present. If so, add the following line to the /etc/hosts.allow file. (You can restrict connections to various hosts/domains by using other options besides “ALL”. See the hosts.allow manpage for details.)

– long delay on command after ftp login
– ftp: connection timed out
– ftp: connect: No route to host
– Security: Bad IP connecting.
– 606 no socket

Many people report problems with ftp sessions hanging or throwing errors after the ftp login session is successful. Frequently this is because the ftp-data port is blocked by a firewall or not forwarded by a router. This section describes the configuration of vsftpd to enable passive mode data transfers, along with the accompanying changes to iptables and your router to allow ftp-data connections to pass.

Ftp sessions consist of two channels: a command channel and a data channel, and they each use a different port. While the command channel is (usually) fixed at server port 21, the data channel employs varying ephemeral ports, and this can be problematic in the presence of a firewall since you don’t know from session to session which port the ftp server will use for the data transfer. To get around this, you need to constrain the range of ports used by the server for ftp-data connections, and you need to modify your firewall and, if necessary, your router to enable traffic on that port range.

First, make sure that passive mode is enabled; vsftpd enables it by default, but it doesn’t hurt to set it explicitly. Let’s also restrict the data channel to ports 11000 through 11010. Depending upon the number of concurrent sessions you anticipate on your server, you can increase or decrease the port range by modifying the min and max values. You can also use any port range; I chose 11000 through 11010 at random. Just make sure the min port is greater than 1024. Add these lines to /etc/vsftpd/vsftpd.conf.

Restart vsftpd (or xinetd if you’re running vsftpd under xinetd) to make the changes take effect.

Unblock ports in firewall

Restart the firewall.

– 550 Failed to change directory.


This happens most likely because you’ve established a chroot jail for users, and the user is trying to access a directory outside the jail.

– 500 OOPS: cannot change directory:/foo
– 500 OOPS: Connection closed by remote host.
– 500 OOPS: failed to open xferlog log file:/var/log/xferlog
– 553 could not create file error

This happens because SELinux isn’t properly configured for your ftp service. Either disable SELinux or configure it for ftp.

To disable SELinux, edit /etc/selinux/config and set “SELINUX=disabled”, then reboot.

Please follow and like us:
About shk

shk is a DevOps engineer with more than 12 years of experience in different organizations. He enthusiastic about learning new technologies and shares his knowledge through his blogs.


  1. What about 550 failed to open file, after a get command?


  1. […] vsftpd HomepageWiki Ubuntuusers: vsftpdvsftpd Troubleshooting […]

Comment Policy:

Your words are your own, so be nice and helpful if you can. Please, only use your real name, not your business name or keywords. Using business name or keywords instead of your real name will lead to the comment being deleted. Anonymous commenting is not allowed either. Limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.

Tell us what you're thinking...

All comments are moderated.

* Denotes required field.



Previous Post:
Next Post: