KarimBenyelloul's avatar
KarimBenyelloul
Icon for Cirrostratus rankCirrostratus
Aug 31, 2017

Hello guys,

I'm having a problem implementing the FTPS offload. The problem I have regards the data channel (the third virtual server). The controle Channel is working perfectly. Bellow is the issue :

When the client oppens the data channel, I see the SSL handshake done on the client-side. right after, in the server side , I see that the server send the full response listing the "/" directory. The server also logs ' Successfully transferred "/" '. after that, on the client side, I see in the ftp client log :

Response:   150 Opening data channel for directory listing of "/"
Response:   226 Successfully transferred "/"
Error:  Failed to retrieve directory listing
Response:   421 Connection timed out.
Error:  GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error:  Could not read from socket: ECONNABORTED - Connection aborted
Error:  Disconnected from server e

The only issue seems to be related with the way the bigip closes the ssl connection.

I then took two pcaps, one going through the Bigip (non-working senario) and another pcap where the connection goes directly 'client'<->'ftps server' (working senario) and I have noticed the following difference :

In the working senario, the server sends a SSL packet "Encrypted Alert" right before sending the [FIN-ACK]. The client then sends the same SSL packet "Ecrypted Alert" back to the server and closes the TCP connection.

On the other hand, in the non-working senario, the Bigip directly close the TCP connection and does not send the SSL packet "Encrypted Alert".

Do you have any idea of how I could resolve this issue ?

many thanks,