I dealt with this same issue and here's what is going on. You're using Passive Ports that the airport extreme will support if it's configured correctly. So this isn't a "bug" it's a configuration issue.
The issue at hand is that some routers "need" to "see" the FTP activity, and if the data is encrypted using SSH, then the router blocks the encrypted traffic because it can't "see" that it's FTP traffic that should be allowed due to a request--apple is one such router due to security--which is a good thing.
According to your logs your FTP server is told that the passive ports are between 55536 and 55663 (no suprises here I'm sure). The server will send out a response to the client showing an IP address (your outside ip address should be here) and a port number that will be in the range defined (but not always the same one for each file/session, and a minimum of 50 ports should be given to the server--more if a lot of files are being transfered at one time).
example: in a log file you may see "(84,246,34,80,206,88)" which is IP address: 84.246.34.80 (obvious) port number 52824 (whis is found using this equasion: 206*256=52736 +88=52824 (only with your outside IP address and port number within the range specified by the server).
Ah HA! We've found the problem! So in the router you'll need to open these passive ports for the encrypted traffic (again, no supprise), because data traffic and the session traffic take place on seperate ports and protocols (session traffic is login information, etc. on the standard FTP port of 21, and standard FTP+SSH port 990). SFTP and FTPS are two seperate protocols, and need to be understood as such. Simply stated, one protocol allows the router to "see" that the encrypted traffic is FTP and allowed, the other doesn't--so we just need to allow for the "un-seen" traffic.
Well, now what?
The fix:
1) Under the Network tab of the Airport Utility theres a section titled "port settings."
2) Click the "+" button to add a setting, either select "FTP access" from the dropdown, or add it.
3) Under both "Private TCP ports" and "Public TCP Ports" put in 21 (standard FTP Port). Under Private IP address type the IP address of the destinatin computer (FTP server). *Note: setting a static IP address on the FTP server is strongly suggested*
*note: You do NOT need to allow UDP ports, this may cause a larger security risk.*
4) Repeat step 3 and allow port 990 (standard SSH port).
5) Repeat step 3 one last time an under the TCP ports fill in the range of the passive ports: i.e. "60000-65000" just like that, only with your ports specified by the FTP server. No spaces, no other characters.
6) Apply the settings to the router, and allow it to reset.
7) Test the connection again and report findings.
Both SFTP and FTPS are accepted, and "good" protocols. My opinion is that the FTPS is "better" since even the router can't tell that it's FTP, and to me, that's good because neiter is a hacker. Others may say that the former is "the best" but to each his own.
I hope this helps you out, even though it's been a while.
I did write this as basic as I could for the "average" user, so forgive me if it's too basic.
Cheers!