Access log uploading to remote FTP server(i.e. Reporter) fails with the following error:
"Access Log FTP (main): 425 Failed to establish connection." 0 E0000:96 alog_ftp_client.cpp:1745
"Access Log FTP (main): Error sending STOR m_CommandBuffer. Client received 425 response. Closing connections." 74 E000A:1 alog_ftp_client.cpp:1404
ProxySG and Reporter/External FTP server both are in different network.
FTP Data connection is getting blocked by intermediate device(i.e. mostly firewall) in the path from ProxySG to remote FTP server(i.e. Reporter).
To confirm this take packet capture on ProxySG and on the Remote FTP server at the same time then perform test log file upload from ProxySG and review both the side packet capture.
For example on ProxySG for Access Log type: main Upload client: FTP Client is configured to use custom port. (i.e. Port 2434)
Generally what happen is that only port 2434 is allowed on which FTP Control connection is established but the correct firewall rule to allow FTP Data connection is not configured.
There are two options as follow to resolve this issue:
Option-1) (Use Passive FTP)
1) On ProxySG to configure FTP upload client to use Passive FTP:
2) Ask firewall team to configure following rule to allow FTP data connection between Proxy and remote FTP server for successful log upload.
Source IP | Source Ports | Destination IP | Destination Ports |
ProxySG IP | Any random port between 1024:65535 | Remote FTP server IP(i.e. Reporter) | Port Range: 30010 to 30019 (i.e. This is default passive port range of Broadcom Reporter's Local FTP server) |
Option-2) (Use Active FTP)
1) On ProxySG to configure FTP upload client to use Active FTP:
2) Ask your firewall team to configure following rule to allow FTP data connection between Proxy and remote FTP server for successful log upload.
Source IP | Source Port | Destination IP | Destination Ports |
Remote FTP server IP (i.e. Reporter) | 2433 | ProxySG IP | Any random port between 1024:65535 |
Note: If you're using default FTP ports then instead of Port 2433, in above mentioned firewall rule use port 20 for FTP data connection.