OAG Response To PASV FTPS Includes The Private IP Of The OAG Host (Doc ID 1602273.1)

Last updated on JULY 29, 2017

Applies to:

Oracle API Gateway - Version 11.1.2 and later
Information in this document applies to any platform.

Symptoms

An OAG response to PASV FTPS includes the private IP of the OAG host.
This presents a problem when the initiator of the FTPS connect is remote and uses a NAT'd IP.

An example of a message exchange initiating a FTPS transfer is Prot P PASV mode:

Note the two lines extracted from the message exchange:

EZA1736I FTP -r tls xxx.x.xx.xxx 8889 (EXIT
227 Entering Passive Mode (yy,yyy,yy,yyy,yyy,yyy)

The initial connect reflects the partner connecting via a NAT'D ip whereas the response with the ephemeral ports includes the host private IP which will not route from the partners network.

Here is an example of a full message exchange:

EZA1736I FTP -r tls xxx.x.xx.xxx 8889 (EXIT
EZY2640I Using dd:SYSFTPD=SYS210.SYSFTPD.SECURE.FTP.DATA for local site con
EZA1450I IBM FTP CS V1R13
EZA1772I FTP: EXIT has been set.
EZA1554I Connecting to: xxx.x.xx.xxx port: 8889.
220 Service ready for new user.
EZA1701I >>> AUTH TLS
234 Command AUTH okay; starting TLS connection.
EZA2895I Authentication negotiation succeeded
EZA1701I >>> PBSZ 0
200 Command PBSZ okay.
EZA1701I >>> PROT P
200 Command PROT okay.
EZA2906I Data connection protection is private
EZA1459I NAME (xxx.x.xx.xxx:HDHLEE):
EZA1701I >>> USER MEDS
331 User name okay, need password for MEDS.
EZA1701I >>> PASS
230 User logged in, proceed.
EZA1460I Command:
EZA1736I TYPE A
EZA1701I >>> TYPE A
200 Command TYPE okay.
EZA1460I Command:
EZA1736I PUT 'HDHEMI.E8.ALERTS.TESTFTPS' 'ACA_FTPS01.TXT'
EZA1701I >>> SITE FIXrecfm 700 LRECL=700 RECFM=FB BLKSIZE=27300
502 Command SITE not implemented for FIXRECFM.
EZA1701I >>> PASV
227 Entering Passive Mode (yy,yyy,yy,yyy,yyy,yyy)
EZA1701I >>> STOR ACA_FTPS01.TXT
EZA1636I *** I can't open a data-transfer connection:
150 File status okay; about to open data connection.
425 Can't open data connection.
EZA1735I Std Return Code = 27425, Error Code = 00008
EZA1701I >>> QUIT
EZA2590E gsk_secure_socket_read error from getNextReply - Connection closed
EZA1475I Connection with xxx.x.xx.xxx terminated

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms