ACE Load balancing FTP connections.

Unanswered Question
May 22nd, 2007
User Badges:

I have my ACE blade (running A1(4d) ) currently set-up to static nat to an FTP server.


I have tried setting up a sticky SLB VIP for FTP across this server and an additional box but firewall in front of the ACE throws the connections.


It appears that the servers are responding directly to the clients when in SLB and so the control connection has the wrong IP (real vs. VIP)


How do I set this up so that it works?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bruce.arnott Tue, 05/22/2007 - 07:26
User Badges:

Found the setting on the FTP server to set the PASV reply address to the VIP and all works now.



OK, scrub that, it only works because I set the class match to any. If it's set to FTP it doesn't match the data port opening.


It looks like FTP load balancing doesn't work just by matching FTP. Do I have something wrong?

Gilles Dufour Tue, 05/22/2007 - 08:29
User Badges:
  • Cisco Employee,

Bruce,


could you share your config and a small explanation of how the servers and ACE are connected.


Gilles.

bruce.arnott Wed, 05/23/2007 - 00:14
User Badges:

Here's the relevant config, IPs change to protect the innocent.


probe ftp FTP_DL

description FTP Probe

expect status 220 220


rserver host HTTPDL_01

ip address 10.2.200.21

inservice

rserver host HTTPDL_02

ip address 10.2.200.22

inservice



serverfarm host Download_FTP

probe FTP_DL

rserver HTTPDL_01

inservice

rserver HTTPDL_02

inservice




sticky ip-netmask 255.255.255.255 address both FTP_DL

timeout 10

replicate sticky

serverfarm Download_FTP



class-map match-any FTP_DL

3 match virtual-address A.A.A.A any




policy-map type loadbalance first-match FTP_DL

class class-default

sticky-serverfarm FTP_DL


policy-map multi-match FTP_Download

class FTP_DL

loadbalance vip inservice

loadbalance policy FTP_DL


interface vlan 200

description Back End Connection

ip address 10.2.200.2 255.255.255.0

alias 10.2.200.1 255.255.255.0

peer ip address 10.2.200.3 255.255.255.0

no normalization

service-policy input ICMP_ALLOW_POLICY

no shutdown


interface vlan 300

description ACE to Firewall

ip address 10.3.100.252 255.255.255.0

alias 10.3.100.254 255.255.255.0

peer ip address 10.3.100.253 255.255.255.0

no normalization

service-policy input FTP_Download

no shutdown


There is an active/passive cluster of firewalls in front of the ACE and all the VIPs are Public IPs from our class C range which are routed through from the firewalls.


The vlan300 interface on the ACE is in a transport VLAN with the back end FW interfaces. The vlan200 interface is on the same VLAN as the rservers.


If I change the Class map to


match virtual address A.A.A.A tcp eq ftp


I see the data connections being bounced on the inside interface on the firewall as they are not matched to the VIP.

Roble Mumin Thu, 05/24/2007 - 03:42
User Badges:
  • Bronze, 100 points or more

Have you tried to apply ftp inspection to the "policy-map multi-match FTP_Download".

Checking the ace security guide the info on "inspect ftp" is following.


---

inspect


ftp?Enables File Transfer Protocol (FTP) inspection. The ACE inspects FTP packets, translates address and port embedded in the payload, and opens up secondary channel for data.

---


This could be related to your problem as with icmp you need inspection/fixup to make it work properly from the rservers.


Have a look at...


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bc1.html#wp1180240


Roble

bruce.arnott Fri, 05/25/2007 - 01:37
User Badges:

I tried adding the 'inspect ftp' to the policy and it prevented any data connections from being made?


This one has got me a bit confused. I can set-up the VIP to allow any traffic and manually configure the FTP servers to fixup the port command but I'd really like an ACE contained solution.


Any ideas anyone?

I just went through this issue myself.

When you're locking down the class map for ftp to port 21, you're likely breaking passive data communication because ports 1024-65535 are not open, not because of a VIP mismatch. Passive FTP will negotiate a port in this range for the data channel. Once I opened these ports in the class map and enabled 'inspect ftp' in the policy map, my problem was solved.

Actions

This Discussion