When using FTP passive mode (the default), the FTP server tells Squid the IP address and port number for each data connection. Squid normally checks the given values to make sure they match the server’s IP address. In other words, an FTP server should always use its own IP address in the PASV reply message. If it doesn’t, Squid complains to cache.log and attempts a data connection with the PORT command. Disable the ftp_sanitycheck directive if you want Squid to skip the IP address sanity check.