Troubleshooting

Tracking Connection Status With Proxy Logs

The connection status for both forward and reverse proxy transfers is subject to regular logging in the system log file—/var/log/messages on Red Hat Linux and /var/log/syslog on Debian-based Linux. Root access is required for viewing the syslog file. The following is an example of a proxy transfer log entry triggered at the start of a transfer:

Dec  5 17:32:11 test1 ascp_rproxy[26250]: LOG Received connection request from 10.0.31.133
Dec  5 17:32:11 test1 ascp_rproxy[26250]: LOG Established SSH connection with server 10.0.30.6:22
Dec  5 17:32:11 test1 ascp_rproxy[26250]: LOG Setup UDP forwarding between 10.0.31.133:60953 and 10.0.30.6:33001

In the above:

  • 10.0.31.133:60953 – client IP address and UDP port
  • 10.0.30.6:22 – server IP and SSH port
  • 10.0.30.6:33001 – IP and UDP port

The following is an example of a log entry when the connection is closed:

Dec  5 18:38:22 test1 ascp_rproxy[27238]: LOG Connection closed (EOF)

In the event of errors, individual error scenarios are logged separately.

To activate verbose debug logging, edit the value for <log_level> in aspera.conf to set or increase the log-level value.

Error When Trying to Start Node Service

If you receive the following error when attempting to start the node service, check to see if iptables is installed on your machine:

ERR Failed to initialize proxy service

If iptables is not installed, install it. See the documentation for your Linux distribution.

Error When No Matching Rule for Host

If you receive the following error, it means Proxy did not find a rule in aspera.conf that matches the incoming SSH connection information:

ERR No matching rule found for host.

Check the IP address or hostname and SSH port used by the client matching a rule defined in aspera.conf.

Note: The proxy IP address must be used in the rule when its IP address is NAT'd.

Using iptables to Track Forwarding Rules

Proxy server administrators can also take advantage of the iptables tool to inspect the traffic forwarding rules that are in place. For example, the following shows six iptables rules (in the nat and filter tables), corresponding to two different ascp connections (reverse proxy creates three rules for each connection). The comment field of each rule contains the UUID of the ascp session. The iptables command requires root privileges.

# iptables -t nat -L 
Chain PREROUTING (policy ACCEPT)
target    prot opt source        destination         
DNAT      udp  --  10.0.35.37    anywhere     udp dpt:33001 /* 8de6121e-c6a4-4384-8b67-123f6bf453a2 */ to:10.0.143.102:33001 
DNAT      udp  --  10.0.35.36    anywhere     udp dpt:33001 /* 813d334f-b47f-46ea-83ed-e13779f9b9c8 */ to:10.0.143.102:33001

Chain POSTROUTING (policy ACCEPT)
target    prot opt source        destination
SNAT      udp  --  10.0.35.37    anywhere     udp dpt:33001 /* 8de6121e-c6a4-4384-8b67-123f6bf453a2 */ to:10.0.143.110
SNAT      udp  --  10.0.35.36    anywhere     udp dpt:33001 /* 813d334f-b47f-46ea-83ed-e13779f9b9c8 */ to:10.0.143.110

Chain OUTPUT (policy ACCEPT)
target    prot opt source        destination

# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source        destination

Chain FORWARD (policy DROP)
target    prot opt source        destination
ACCEPT    udp  --  10.0.35.36    10.0.143.102  udp dpt:33001 /* 813d334f-b47f-46ea-83ed-e13779f9b9c8 */
ACCEPT    udp  --  10.0.35.37    10.0.143.102  udp dpt:33001 /* 8de6121e-c6a4-4384-8b67-123f6bf453a2 */
ACCEPT    udp  --  anywhere      anywhere      state ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target    prot opt source        destination

UDP Port and Firewall Timeout Errors

The following is a common timeout error:

Session Stop (Error: Client unable to connect to server -- check UDP port and firewall.)

If you get this error, check the following:

  1. Ensure that IP forwarding is enabled. IP forwarding must be enabled and is enabled automatically when IBM Aspera Proxy is installed. To confirm, run the following command:
    # cat /proc/sys/net/ipv4/ip_forward 

    If the command returns 1, IP forwarding is enabled. If it returns 0, it is not. IP forwarding can be enabled manually by setting the net.ipv4.ip_forward line in /etc/sysctl.conf as follows:

    # Controls IP packet forwarding
    net.ipv4.ip_forward=1

    To activate changes to /etc/sysctl.conf, run the following:

    # /sbin/sysctl -p /etc/sysctl.conf
  2. If the error still occurs when IP forwarding is on, turn off source-port filtering. By default, source-port filtering is disabled (false). To reset, run the following command:
    # asconfigurator -x "set_server_data;
    rproxy_rules_rule_src_port_filtering,false"

    This results in the following text in aspera.conf:

    ...
    <rproxy>
      ... 
      <rules>
        <rule>
          ... 
          <src_port_filtering>false</src_port_filtering> 
        </rule>
      </rules>
    </rproxy>
    ... 

    For more information about source-port filtering, see Source-Port Filtering.

    If the same timeout errors still occur when source-port filtering is disabled, this generally indicates that traffic is being blocked at a firewall. For information on configuring firewalls for forward proxy, see Forward Proxy Firewall Configuration. For information on configuring firewalls for reverse proxy, see Reverse Proxy Firewall Configuration.

Iptables Rules Left on the Proxy Server

On rare occasions, iptables rules are left on the proxy server for sessions that have completed. To purge the rules, issue a stop and then a start (or restart) to the proxy service:

# /etc/init.d/asperaproxy stop
# /etc/init.d/asperaproxy start

Or:

# /etc/init.d/asperaproxy restart

Clearing Tracked NAT Connection Flows When the Proxy Service is Stopped or Restarted

If the conntrack tool is installed, the proxy service clears tracked NAT connection flows when the proxy service is stopped. This ensures that connections through the proxy are terminated when the proxy service is stopped or restarted. To enable this capability, your system must have the conntrack package for your distribution installed.