FTPS transfer configuration

ikkynikinae · ‎06-02-2016

I'm using an FTPS job definition to transfer some files back and forth to a remote host. Naturally, there are firewalls on both sides that were configured to allow for the transfer, and we think we have that worked out. We can connect and so forth, but we seem to be encountering an issue when we are trying to open the data connection.

The request now is to configure the FTPs to use PASSIVE mode. Where is it that I can configure this? Is it an agent setting? A UNIX profile?

Any help would be appreciated. I have the agent in debug mode - here is the snippet where the issue is coming up

(i've changed the IP to 55.66.77.88 to protect the actual hosts)

DEBUG [CryptixProperties] 1 Jun 2016 14:05:56.335 : Successfully loaded the CryptixEDT properties file
INFO [puretls] 1 Jun 2016 14:05:56.402 : PureTLS debug level=0
DEBUG [SSLFTPClient] 1 Jun 2016 14:05:56.404 : Setting custom validator to com.enterprisedt.net.ftp.ssl.SSLFTPStandardValidator
DEBUG [SSLFTPClient] 1 Jun 2016 14:05:56.409 : Turned server validation off
DEBUG [SSLFTPClient] 1 Jun 2016 14:05:56.410 : Created explicit FTPS client.
DEBUG [SSLFTPClient] 1 Jun 2016 14:05:56.410 : Connecting to 55.66.77.88:21
DEBUG [StreamSocketFactory] 1 Jun 2016 14:05:56.417 : Connecting to 55.66.77.88:21 via standard socket
DEBUG [SSLSocket] 1 Jun 2016 14:05:56.656 : Timeout=60000
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:56.841 : 220 Microsoft FTP Service
DEBUG [SSLFTPControlSocket] 1 Jun 2016 14:05:56.842 : DISABLE_CONTROL_SSL_CLOSURE=false
DEBUG [SSLFTPControlSocket] 1 Jun 2016 14:05:56.842 : DISABLE_CONTROL_WAIT_ON_CLOSE=true
DEBUG [SSLFTPControlSocket] 1 Jun 2016 14:05:56.842 : ALLOW_BASIC_CONSTRAINTS_IN_NON_CA=false
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:56.843 : --- AUTH TLS
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:57.036 : 234 AUTH command ok. Expecting TLS Negotiation.
DEBUG [SSLFTPControlSocket] 1 Jun 2016 14:05:57.037 : Starting SSL handshake on control socket
INFO [cryptix] 1 Jun 2016 14:05:57.108 : GLOBAL_TRACE=false
INFO [cryptix] 1 Jun 2016 14:05:57.108 : GLOBAL_DEBUG=false
INFO [cryptix] 1 Jun 2016 14:05:57.108 : GLOBAL_DEBUG_SLOW=false
DEBUG [SSLHandshake] 1 Jun 2016 14:05:57.423 : 2 certificates supplied.0 verified certificates.
DEBUG [SSLHandshake] 1 Jun 2016 14:05:57.424 : isVerified=false, acceptUnverified=true
DEBUG [IJCE_Properties] 1 Jun 2016 14:05:57.441 : Successfully loaded the IJCE properties file
DEBUG [SSLFTPControlSocket] 1 Jun 2016 14:05:57.720 : SSL handshake on control socket complete
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:57.720 : --- PBSZ 0
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:57.917 : 200 PBSZ command successful.
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:57.917 : --- PROT P
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.116 : 200 PROT command successful.
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.116 : --- USER usftpguy
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.311 : 331 Password required
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.311 : --- PASS ********
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.560 : 230 User logged in.
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.561 : --- TYPE A
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.758 : 200 Type set to A.
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.758 : --- CWD FilesToGet
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.957 : 250 CWD command successful.
DEBUG [SSLFTPControlSocket] 1 Jun 2016 14:05:58.960 : ListenOnAllInterfaces=true
DEBUG [SSLFTPControlSocket] 1 Jun 2016 14:05:58.960 : Creating SSLFTPActiveDataSocket
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:58.962 : --- PORT 63,244,70,50,168,15
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:59.157 : 200 PORT command successful.
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:59.157 : --- file1lw4p*.*
DEBUG [FTPControlSocket] 1 Jun 2016 14:05:59.354 : 150 Opening ASCII mode data connection.
DEBUG [FTPClient] 1 Jun 2016 14:06:59.353 : Validate transfer on error after exception : Accept timed out
java.net.SocketTimeoutException: Accept timed out
at java.net.PlainSocketImpl.socketAccept(Native Method)
at java.net.AbstractPlainSocketImpl.accept(AbstractPlainSocketImpl.java:375)
at java.net.ServerSocket.implAccept(ServerSocket.java:478)
at com.enterprisedt.net.puretls.SSLServerSocket.acceptConnection(SSLServerSocket.java:170)
at com.enterprisedt.net.ftp.ssl.SSLProxyServerSocket.acceptConnection(SSLProxyServerSocket.java:60)
at com.enterprisedt.net.ftp.ssl.a.b(SSLFTPActiveDataSocket.java:216)
at com.enterprisedt.net.ftp.ssl.a.getInputStream(SSLFTPActiveDataSocket.java:268)
at com.enterprisedt.net.ftp.pro.ProFTPClient.getInputStream(ProFTPClient.java:445)
at com.enterprisedt.net.ftp.FTPClient.a(FTPClient.java:3801)
at com.enterprisedt.net.ftp.FTPClient.dir(FTPClient.java:3867)
at com.enterprisedt.net.ftp.FTPClient.dir(FTPClient.java:3757)
at ai.a(Unknown Source)
at b.e(Unknown Source)
at b.d(Unknown Source)
at b.p(Unknown Source)
at b.run(Unknown Source)
at java.lang.Thread.run(Thread.java:701)

java.net.SocketTimeoutException: Accept timed out
at java.net.PlainSocketImpl.socketAccept(Native Method)
at java.net.AbstractPlainSocketImpl.accept(AbstractPlainSocketImpl.java:375)
at java.net.ServerSocket.implAccept(ServerSocket.java:478)
at com.enterprisedt.net.puretls.SSLServerSocket.acceptConnection(SSLServerSocket.java:170)
at com.enterprisedt.net.ftp.ssl.SSLProxyServerSocket.acceptConnection(SSLProxyServerSocket.java:60)
at com.enterprisedt.net.ftp.ssl.a.b(SSLFTPActiveDataSocket.java:216)
at com.enterprisedt.net.ftp.ssl.a.getInputStream(SSLFTPActiveDataSocket.java:268)
at com.enterprisedt.net.ftp.pro.ProFTPClient.getInputStream(ProFTPClient.java:445)
at com.enterprisedt.net.ftp.FTPClient.a(FTPClient.java:3801)
at com.enterprisedt.net.ftp.FTPClient.dir(FTPClient.java:3867)
at com.enterprisedt.net.ftp.FTPClient.dir(FTPClient.java:3757)
at ai.a(Unknown Source)
at b.e(Unknown Source)
at b.e(Unknown Source)
at b.d(Unknown Source)
at b.p(Unknown Source)
at b.run(Unknown Source)
at java.lang.Thread.run(Thread.java:701)

DEBUG [FTPControlSocket] 1 Jun 2016 14:06:59.355 : 550
INFO [FTPControlSocket] 1 Jun 2016 14:06:59.356 : Expected reply codes = [225,226,250]
WARN [FTPClient] 1 Jun 2016 14:06:59.356 : Validate transfer on error failed :
com.enterprisedt.net.ftp.FTPException: 550
at com.enterprisedt.net.ftp.FTPControlSocket.validateReply(FTPControlSocket.java:1235)
at com.enterprisedt.net.ftp.FTPClient.validateTransfer(FTPClient.java:2645)
at com.enterprisedt.net.ftp.FTPClient.validateTransferOnError(FTPClient.java:2664)
at com.enterprisedt.net.ftp.FTPClient.a(FTPClient.java:3820)
at com.enterprisedt.net.ftp.FTPClient.dir(FTPClient.java:3867)
at com.enterprisedt.net.ftp.FTPClient.dir(FTPClient.java:3757)
at ai.a(Unknown Source)
at b.e(Unknown Source)
at b.d(Unknown Source)
at b.p(Unknown Source)
at b.run(Unknown Source)
at java.lang.Thread.run(Thread.java:701)

com.enterprisedt.net.ftp.FTPException: 550
at com.enterprisedt.net.ftp.FTPControlSocket.validateReply(FTPControlSocket.java:1235)
at com.enterprisedt.net.ftp.FTPClient.validateTransfer(FTPClient.java:2645)
at com.enterprisedt.net.ftp.FTPClient.validateTransferOnError(FTPClient.java:2664)
at com.enterprisedt.net.ftp.FTPClient.a(FTPClient.java:3820)
at com.enterprisedt.net.ftp.FTPClient.dir(FTPClient.java:3867)
at com.enterprisedt.net.ftp.FTPClient.dir(FTPClient.java:3757)
at ai.a(Unknown Source)
at b.e(Unknown Source)
at b.d(Unknown Source)
at b.p(Unknown Source)
at b.run(Unknown Source)
at java.lang.Thread.run(Thread.java:701)

DEBUG [SSLFTPActiveDataSocket] 1 Jun 2016 14:06:59.357 : close() succeeded

THOMAS EATON · ‎06-10-2016

In our Windows TES environment we list the FTP Host as in your example as 55.66.77.88:21:P

Not sure if this will work in the Unix world though

Joe Fletcher · ‎07-04-2016

We ran into a problem when trying to set up some FTPS jobs. Most of our work uses sftp and in the agent ini file we have "SSLVLDCRT=N" defined to make it work. However it seems that setting this breaks FTPS. It seems that any given agent can't do FTPS and SFTP simultaneously. We were told to create a new agent connection for each type of transfer. Apparently the file transfer engine is 3rd party code so Cisco weren't in a position to do much about the problem when we asked.

I believe that 6.3 may address the problem but I can't swear to that.