Proxy SG access log uploading fails: 425 Failed to establish connection
search cancel

Proxy SG access log uploading fails: 425 Failed to establish connection

book

Article ID: 231700

calendar_today

Updated On:

Products

ProxySG Software - SGOS Reporter

Issue/Introduction

Access log uploading to remote FTP server(i.e. Reporter) fails with the following error:

"Access Log FTP (main): 425 Failed to establish connection."  0 E0000:96  alog_ftp_client.cpp:1745

"Access Log FTP (main): Error sending STOR m_CommandBuffer.  Client received 425 response. Closing connections."  74 E000A:1  alog_ftp_client.cpp:1404

 

Environment

ProxySG and Reporter/External FTP server both are in different network.

Cause

FTP Data connection is getting blocked by intermediate device(i.e. mostly firewall) in the path from ProxySG to remote FTP server(i.e. Reporter).

To confirm this take packet capture on ProxySG and on the Remote FTP server at the same time then perform test log file upload from ProxySG and review both the side packet capture.

Resolution

For example on ProxySG for Access Log type: main Upload client: FTP Client is configured to use custom port. (i.e. Port 2434)

Generally what happen is that only port 2434 is allowed on which FTP Control connection is established but the correct firewall rule to allow FTP Data connection is not configured.

There are two options as follow to resolve this issue:

Option-1) (Use Passive FTP)

1) On ProxySG to configure FTP upload client to use Passive FTP:

  • Select Configuration > Access Logging > Logs > Upload Client.
  • From the Log drop-down list, select the log facility to configure.
  • Select FTP client from the Client type drop-down list. Click the Settings button and make sure Use Passive FTP is checked.

2) Ask firewall team to configure following rule to allow FTP data connection between Proxy and remote FTP server for successful log upload.

Source IP Source Ports Destination IP Destination Ports
ProxySG IP Any random port between 1024:65535 Remote FTP server IP(i.e. Reporter) Port Range: 30010 to 30019 (i.e. This is default passive port range of Broadcom Reporter's Local FTP server)

 

Option-2) (Use Active FTP)

1) On ProxySG to configure FTP upload client to use Active FTP:

  • Select Configuration > Access Logging > Logs > Upload Client.
  • From the Log drop-down list, select the log facility to configure.
  • Select FTP client from the Client type drop-down list. Click the Settings button and make sure Use passive FTP is unchecked.

2) Ask your firewall team to configure following rule to allow FTP data connection between Proxy and remote FTP server for successful log upload.

Source IP Source Port Destination IP Destination Ports
Remote FTP server IP (i.e. Reporter) 2433 ProxySG IP Any random port between 1024:65535

 

Note: If you're using default FTP ports then instead of Port 2433, in above mentioned firewall rule use port 20 for FTP data connection.

Powered by Wolken Software