Jan has been helping me with this off-list.  I figured out most of
what was going on after getting hints on debug levels, and Jan
provided a patch that fixed the problem.  The quick summary for the
list:

There was an rpc2 bug where a rpc2 client that isn't "masqueraded"
(such as codasrv) does not follow the masquerading rules when
initiating an SFTP transfer to a masquerading client (such as venus).
This happened when the server did a backfetch to get the file contents
for a store during reintegration.  In my case, I have IPsec SPD
entries and firewall rules that limit traffic to what ought to be
happening, and this traffic coming from the server's port 2433 didn't
match and was blocked (by local policy, I require clients to be set up
to masquerade).  For various reasons I didn't notice that a
firewall was dropping packets (sorry Jan - this would have been
easier had I noticed promptly!).

Jan committed a fix to CVS (in rpc2) so the reverse masquerading
happens right.  With that on the server, I can reintegrate just fine
over a 28.8 modem (with the restrictive SPD and firewall rules in
place).

        Greg Troxel <gdt_at_ir.bbn.com>