General Page
Check the connection
- The
ping
command does not work. The firewall blocks these requests.Note: If you are behind a firewall,
ping
generally only works within your local network. - How far did the connection get or where did it fail?
Run traceroute, which shows the path to the server. The last IP address is the probable source of connection failure. The command traceroute does not show the FTP server, the firewall blocks these requests.
Note: If you are behind a firewall,
traceroute
generally only works within your local network.- MS/DOS command -
tracert
- Unix command -
traceroute
- MVS, VM, OS/390 command -
tracerte
- MS/DOS command -
Check for timeouts
The FTP server timeout is 10 minutes if no data transfer. If your FTP session times out in less than 10 minutes, it is not the server that is timing out. The timeout value for the FTP client can usually be specified when FTP is invoked (i.e. timeout=nn where nn is in seconds). Check the documentation for the FTP client you are using to verify the parameters and syntax.
If you are submitting a large file via batch FTP, the batch job can time out. This is a function of the TIME= parameter on the JOB card. The file size can be reduced by compression (TRSMAIN), or the TIME= parameter can be increased or set to 1440.
Files not on the server
Files received in /toibm/xxx/ directory not following the defined naming convention are routinely purged from the FTP server. These files require manual intervention by your IBM service representative or they are deleted after 7 days.
Because of security considerations, the display of files on the server site '/toibm/' directories is limited to the directories themselves. Uploads are only allowed for subdirectories of the /toibm directory, for example /toibm/aix, /toibm/zos. No individual files can be listed. Only files in the '/fromibm/<hash_key>' subdirectories may be listed.
Server error messages
If you receive error messages from the server, a connection is occurring. The server returns a 'Permission Denied…' message for any of the following conditions:
- Permission Denied upload name.
The file name cannot contain quotes or national characters (#,@,$). It can contain only a-z, A-Z, 0-9 and . (period).
- Permission Denied upload.
The file already exists. You cannot replace existing files. Any 'replacements' must be loaded with a new file name.
- Permission Denied on Server.
Invalid directory is specified. Uploads are only allowed for subdirectories of the /toibm directory, for example /toibm/aix, /toibm/zos ...
Passive mode
It is strongly recommended that to use "passive" mode for FTP transmissions. "Passive" mode is the only mode supported for the ECuRep FTPS server. Active FTP support is planned to be discontinued for ECuRep.
If none of these procedures solves the problem, further diagnosis can be performed to identify the failure. The server maintains logs of all activity, and the date and time of the transfer problem is needed for further diagnosis. Use the ticket for which the file is being transferred to report any FTP problems you are unable to resolve or send an email to contact@ecurep.ibm.com with a detailed error description including timestamps.
Binary mode
It is recommended to use "binary " mode for FTP transmissions. If not, the server is getting incorrect data.
Common Firewall
- I can connect to the FTP server. The connection hangs after the ls, dir, put or get command.
Use passive FTP. This is done with the "passive" command for most command-line clients. If your client does not offer the passive command, it is using active FTP properly.
- My FTP client is using passive FTP, but the session still hangs after the ls, dir, put or get commands.
Ask your firewall administrator to allow connections to the port range 65024 - 65535 for our FTP server.
- Your firewall may check the control connection for the protocol.
Ask your firewall administrator about the setup of your firewall. For a CheckPoint Firewall-1 NG, for example, the new line character check must be disabled. Check out Solution ID sk22632.
FTPS usage under z/OS
Please notice, that:
testcase.boulder.ibm.com uses RFC4217 DRAFT level,
ftps.ecurep.ibm.com and in future ftp.ap.ecurep.ibm.com uses full RFC4217 level, which differs in sub-commands AUTH and CCC
ftps.ecurep.ibm.com uses:
RFC4217 and TLS1.2
The current and IBM recommended implementation is called Application Transparent Transport Layer Security AT-TLS or TTLS.
There is no way to use pre-RFC4217 CCCNONOTIFY.
Some firewalls need to read the port number on the PASV command to create dynamic rules.
Use of a CCC command before the PUT to clear the control connection might be needed.
Information on Traversing firewalls with SSL/TLS secure FTP (CCC command)
For additional information regarding certificates and IBMid / Transfer ID usage, please refer to FAQs About GDPR-related Changes to ECuRep and Testcase FTP File Uploads .
Information about the z/OS cipher suite definitions can be found at the reference for z/OS 2.4:
Related links
Was this topic helpful?
Document Information
Modified date:
31 May 2022
UID
ibm10739409