VMware NSX-T Data Center VMware NSX-T Data Center 2.x
Cause
FTP protocol uses an architecture with two channels of communication. First a control connection is established on port 21. Then depending on the mode, Client and Server exchange a dynamic port which they use for a parallel data channel. In Passive mode, the FTP server sends the Client both the server's IP address and dynamic port on which it is listening. In Extended Passive Mode (EPSV), the FTP server sends only the dynamic port number, as seen in the sample packet capture above. Due to this software issue when Extended Passive Mode is used, the ALG rule will match the control connection but may fail to learn the the dynamic port and so will not match the data channel traffic.
Resolution
This issue is resolved in NSX-T Data Center 2.5.0
Workaround: Configure the FTP application to use standard Passive mode instead of Extended Passive Mode or Add another DFW allow rule to allow the high port dynamic traffic between FTP Client and Server