"425 Security:Bad IP connection" error
search cancel

"425 Security:Bad IP connection" error

book

Article ID: 271378

calendar_today

Updated On:

Products

ASG-S500

Issue/Introduction

FTP connectivity issue returns a "425 Security:Bad IP connection" error

Environment

Release : SG/ASG/ISG-Proxy

Cause

Investigating the PCAP, you should see outputs similar to the below.

Analysis

The FTP service has two connections, one is a control connection, and the other is a data connection. By default, the FTP server checks whether the source IP addresses of the two connections are the same during data transmission. If they are not, a "425 Security:Bad IP connection" error is reported. This issue is often caused by the clients in the NAT network, and the public IP address associated with the NAT is more than one, resulting in two connections, the source IP is inconsistent.

Resolution

  • FTP Proxy Configuration on ProxySG:
    • Check the FTP proxy configuration on the ProxySG appliance. Ensure that it's properly configured to handle FTP connections and data transfers. 
  • FTP Passive Mode (PASV):
    • The default FTP data transfer mode is active mode, which can be problematic when clients are behind a NAT. Consider using passive mode (PASV) for data transfers instead. Passive mode allows the client to open a random port for data transfer, which can help avoid NAT-related issues.
  • NAT Configuration:
    • If possible, review and adjust the NAT configuration on the firewall or router that is performing NAT for the clients. You might need to configure a range of ports for passive mode FTP data transfers and ensure that these ports are properly forwarded to the correct internal IP address.
  • ProxySG Network Configuration:
    • Ensure that the ProxySG appliance is correctly configured with the appropriate network settings, including IP addresses, subnet masks, and default gateways.
  • Client Configuration:
    • Advise users behind the NAT to configure their FTP client to use passive mode (PASV) for data transfers. Ensure that clients are using the correct FTP server address and ports when connecting through the ProxySG.
  • Testing and Monitoring:
    • Test the FTP data transfer with a variety of clients to ensure that the issue is resolved.
      Monitor ProxySG event logs for any further errors or unexpected behavior related to FTP connections. 

Notes:

The FTP client determines whether the client-side data connection is active or passive from the client to the appliance. The appliance determines the server-side connections.

By default, the appliance allows both active and passive data mode connections. FTP connections are divided into client-side control and data connections and server-side control and data connections.

Client-side control connection: The proxy always uses the IP address of the client to respond to the client. No configuration is necessary here.

Client-side data connection: The behavior of the proxy depends on the ftp.match_client_data_ip(yes | no) property that is set in policy using CPL. If this property is enabled (the default), the proxy uses the same IP address for the data connection as it uses for the client-side control connection. If the property is disabled, the proxy uses its own IP address, choosing the address that is associated with the interface that is used to connect back to the client.

When an FTP client uses different protocols for control and data connections (for example, IPv4 for control and IPv6 for data), the ftp.match_client_data_ip property must be set to no so that the address of the appliance is used for the data connection. Because each interface is configured with an IPv4 and an IPv6 address in a mixed internet protocol environment, the appliance uses the appropriate IP address for the type of FTP server. For example, for transferring data to an IPv6 FTP server, the appliance sets up with the data connection using its IPv6 address.

When the client-side data and control connections are over IPv4 and the server-side control and data connections are over IPv6, the ftp.match_client_data_ip property can be set to yes.

Server-side control connection: The proxy uses the IP address that is selected by the reflect_ip(auto | no | client | vip | ip_address) property. By default, this IP address is the local proxy IP address that is associated with the interface that is used to connect to the server.

Client IP reflection is set globally from the Configuration > Proxy Settings > General tab. By default, the CPL

reflect_ip( ) setting is auto, which uses this global configuration value.
Client IP reflection is automatically disabled when the client is IPv4 and the server is IPv6.

Note: Setting client IP address reflection for FTP affects the source address that is used when making the outgoing control connection to the origin server. Setting reflection for FTP might also affect which address is used by the proxy for data connections.

For more on the above, including the Server-Side Data Connections Mode, refer to the Tech. Doc. below.

Manage the FTP and FTPS Proxies

So, the resolution is focused on ensuring the appliance uses the same IP address for both the control and data connections with the FTP server. To have this happen, ensure to implement the below, in CPL.

ftp.match_client_data_ip (yes)

To make the data connection using the control connection's IP address, the CPL script would be a shown below.

<Proxy>
    ftp.match_client_data_ip(yes)

Execute as guided, to resolve the reported error/issue, and let Technical Support know, should you have further related queries. Ensure to go through the Tech. Doc. shared, for end-to-end clarity.

Powered by Wolken Software