Back to Troubleshooting Guide

425 425 Can't open data connection. timed out() failed.

Full message

$ lcg-rep --vo dteam lfn:my-test-lfn -d my-SE.my-domain
the server sent an error response: 425 425 Can't open data connection. timed out() failed.

Diagnosis

Typical scenario: on a WN lcg-rep from a remote SE to the close/default SE fails. This can have various causes:

1. At the time of the command the target SE was down or unreachable from outside, e.g. shielded by some firewall on the way.
2. The GLOBUS_TCP_PORT_RANGE is not defined on the target SE, or the range is not allowed by some firewall on the way.
3. Some firewall on the way to the SE has a problem with connections in rapid succession that all use the same source and destination ports, e.g. rapidly repeating occurrences of source:20000 --> SE:20000, which used to be normal when a file is copied onto the SE.

The idea is that normally the source port will be assigned by the OS to a different value for each connection, so that a firewall may conclude that rapid repetitions are abnormal/illegal, so should be blocked.

Recent versions of Globus (e.g. as used in gLite 3.2) let the OS pick random source ports unless the environment variable GLOBUS_TCP_SOURCE_RANGE (sic) is defined; that variable should never be set.

Solution

1. Check definition of GLOBUS_TCP_PORT_RANGE on the target SE and if the GridFTP server was (re)started with that definition.
2. Check the rules of firewalls on the way to the SE.
3. Use a recent version of Globus on the source host (SE, UI, WN).
4. Do not define GLOBUS_TCP_SOURCE_RANGE (sic).