HPE Community
Operating System - HP-UX
1754320 Members
3041 Online
108813 Solutions
New Discussion

FTPS times out on the data port

 
dictum9
Super Advisor

‎11-17-2016 08:22 AM

‎11-17-2016 08:22 AM

FTPS times out on the data port

 

On hp-ux 11.31 connecting to the mainframe, specifying port 990 which should then switch to 989 data port. 

Used to connect via ftp now they upgraded to ftps and I must use ftp with the SSL/TLS option turned on. 

I have the FTPS keys setup correctly and invoke the command with the -z options. I connect on the 990 port, authenticate however when I try to move the data, I get timeouts. ftps is just an alias to ftp with -z options pointing to various certs.

 

I engaged the network team both on our side and on the mainframe side. On my end, the network team says: 

"We do not see 989 traffic from either side."

The mainframe side says they see the traffic from 990, try to open 989 by sending sync,sync,sync requests that do not get answered from our side and time out. Our people are saying they don't see any requests.   

How does one go about troubleshooting this problem? 

# ftps
Connected to xx.xxx.xx.xx.
220- IBM at xxxxxxxxxxx, 10:34:13 on 2016-11-17.
220-By using this IS (which includes any device attached to this IS),
220-you consent to the following conditions:
234 Security environment established - ready for negotiation
[TLSv1/SSLv3, cipher EXP-RC4-MD5, 128 bits]
Name (xx.xxx.xx.xx:xxxxx):xxxxx
331 Send password please.
Password:
230 xxxx is logged on. Working directory is "xxxxx.".
200 Protection buffer size accepted
200 Data connection protection set to private
TLS/SSL protection of data connections on.
Remote system type is MVS.
ftp>
ftp> ls
200 Port request OK.
425 Unable to open data connection.
ftp>

 

 

0 Kudos
Reply
4 REPLIES 4
Steven Schweda
Honored Contributor

‎11-17-2016 09:14 AM

‎11-17-2016 09:14 AM

Re: FTPS times out on the data port

> [...] connecting to the mainframe, [...]

   I see very little information in your problem description about the
FTP[S] server software on that system, or about the network connection
between the client and server.

> [...] specifying port 990 which should then switch to 989 data port.

   In active mode, perhaps.  Knowing nothing about the server software,
I can imagine that it doesn't use active mode.  Have you tried selecting
passive mode on the client side?

> The mainframe side says they see the traffic from 990, try to open 989
> by sending sync,sync,sync requests that do not get answered from our
> side and time out. Our people are saying they don't see any requests.

   How many firewalls separate these systems?  Can they all handle
active-mode FTP[S] on arbitrary ports?  Have you tried passive mode?

Reply
dictum9
Super Advisor

‎11-18-2016 02:49 AM

‎11-18-2016 02:49 AM

Re: FTPS times out on the data port

Passive mode fixed it, the -p flag given to the ftp program. 

Is that because they could not handle active/passive modes?  In passive mode, the client initiates both connections, right?

 

0 Kudos
Reply
Steven Schweda
Honored Contributor

‎11-18-2016 04:06 AM

‎11-18-2016 04:06 AM

Re: FTPS times out on the data port

> Passive mode fixed it, the -p flag given to the ftp program.

   I'd expect there to be a "passive" command and an FTPMODE environment
variable, too.

      man ftp

> Is that because they could not handle active/passive modes?

   Define "they".  As I wrote before:

> I see very little information in your problem description about the
> FTP[S] server software on that system, or about the network connection
> between the client and server.

> How many firewalls separate these systems? Can they all handle
> active-mode FTP[S] on arbitrary ports?

   My psychic powers are no stronger now than they were when that was
written, so the info is still true, and the questions remain.

> In passive mode, the client initiates both connections, right?

   Yes, but the more important part may be that no one needs to guess
about where the second (data) port might be.  If there are firewalls
between the systems, passive mode is easier for a firewall to handle.

      http://slacksite.com/other/ftp.html

(Or do your own Web search for keywords like, say, "ftp" and "passive".)

Reply
dictum9
Super Advisor

‎11-18-2016 06:49 AM

‎11-18-2016 06:49 AM

Re: FTPS times out on the data port

There are 3 firewalls between the two machines, at least 3.

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.