While running EXEC PGM=FTP using FTP-TLS against the ftp.broadcom.com server (IP address 141.202.253.50), client receives error messages on the directory/List command:

EZA1701I >>> LIST
SC2385 connDsConnectionIPv4: connect() failed on socket 2, retry_conn = 0 - EDC8127I Connection timed out. (errno2=0x76630291)

550 20 second timeout while waiting for PASV connection on port 28###.

EZA1735I Std Return Code = 14550, Error Code = 00008

In addition, you may see

 550-Could not reach you.  Are you behind a firewall or router?  (Try using PASV mode to connect.)
 550 Could not build data connection to host (141.202.253.50:28### was unreachable).

z/OS, *nix file transfer server

The typical cause of this is that outbound TCP connections from the z/OS system to the server on dynamic high ports are not being permitted. The Client’s mainframe issued a connect() call to port 28###, but the request timed out.

Because the session uses explicit FTPS (AUTH TLS), the FTP control channel is encrypted. As a result, firewall devices cannot inspect the PASV negotiation and dynamically open the required data ports. Traditional FTP ALG inspection does not function with encrypted FTPS traffic. Consequently, the outbound request to Port 28### is dropped by the Client's network security, most likely in their firewall.

A review of the full log will most likely show the following:

• TCP connection to ftp.broadcom.com on port 21 succeeded
• TLS 1.2 security negotiation completed successfully
• User authentication was successful
• The encrypted FTP control channel is fully functional

Looking further into the log, you might see this:

When the client issued a directory request (LIST command), the server responded in Passive Mode (PASV) with:

227 Entering Passive Mode (141,202,253,50,###,###)

This instructs the client to open a data connection to:

141.202.253.50 port 28###

The z/OS FTP client attempted this connection and received:

EDC8127I Connection timed out
550 20 second timeout while waiting for PASV connection on port 28###.

This is a Layer-4 TCP timeout establishing the FTP data channel.

The typical cause of this is that outbound TCP connections from the z/OS system to the server on dynamic high ports are not being permitted. The Client’s mainframe issued a connect() call to port 28###, but the request timed out.

Because the session uses explicit FTPS (AUTH TLS), the FTP control channel is encrypted. As a result, firewall devices cannot inspect the PASV negotiation and dynamically open the required data ports. Traditional FTP ALG inspection does not function with encrypted FTPS traffic. Consequently, the outbound request to Port 28### is dropped by the Client's network security.

To correct this, the client Network/Firewall team must allow the following:

• Destination IP: 141.202.253.50 (ftp.broadcom.com)
• Outbound TCP Port 21 (FTPS control channel)
• Outbound TCP passive data ports 28000 - 28500 used by Broadcom MFT 

Conclusion: Allow outbound TCP from z/OS LPAR → 141.202.253.50 Ports: 21, 28000–28500

Once these ports are permitted, FTP commands requiring a data channel (LIST, GET, PUT, etc.) should work and pass data as expected.

If you cannot verify your situation from the above information, please contact Broadcom support teams for your product and ask them to contact the FTP-Support-MSD team if further assistance is needed.