[
https://issues.apache.org/jira/browse/NET-719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17736345#comment-17736345
]
Darren Lindley commented on NET-719:
------------------------------------
Note that F5 supports many protocols including FTPS.
We just hit what appears to be this issue in our corporate environment (I have
not fully checked into the code path in 3.9.0 to see where it failed).
All our FTPs failed to targets that were behind F5 load balancers with 3.9.0.
Rolling back to 3.8.0 resolved the issue for me. the javax.net trace output
showed the traffic got to sending the PASV command and then choked and threw
one of connection timeout or connection refused.
> FTPS timing issues behind WAF (F5) firewall
> -------------------------------------------
>
> Key: NET-719
> URL: https://issues.apache.org/jira/browse/NET-719
> Project: Commons Net
> Issue Type: Improvement
> Components: FTP
> Affects Versions: 3.9.0
> Reporter: Stefan Kuhr
> Priority: Major
> Attachments: FTPSClient_RETR_Timing_diagram_current_impl-1.png,
> FTPSClient_RETR_Timing_diagram_problem.png,
> FTPSClient_RETR_Timing_diagram_solution.png
>
>
> A working data exchange setup stopped working, after the server (vsftpd /
> RedHat) was moved behind a WAF (F5) web application firewall. The client uses
> PASV mode and the operation resulted in a socket timeout on the client side,
> as soon as the data channel came into play (LIST/RETR/STOR).
> A FileZilla client does not exhibit this problem. By looking at the protocol
> exchanges and laying them down in timing diagrams the problem seems to be,
> that the WAF expects the client to fully establish the data-channel, after
> the data-command is send over the control-channel. The current FTPS client on
> the other hand expects the server reply directly after the command is sent.
> A pull request will be provided.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
