05-22-2007 06:24 AM
I have my ACE blade (running A1(4d) ) currently set-up to static nat to an FTP server.
I have tried setting up a sticky SLB VIP for FTP across this server and an additional box but firewall in front of the ACE throws the connections.
It appears that the servers are responding directly to the clients when in SLB and so the control connection has the wrong IP (real vs. VIP)
How do I set this up so that it works?
05-22-2007 07:26 AM
Found the setting on the FTP server to set the PASV reply address to the VIP and all works now.
OK, scrub that, it only works because I set the class match to any. If it's set to FTP it doesn't match the data port opening.
It looks like FTP load balancing doesn't work just by matching FTP. Do I have something wrong?
05-22-2007 08:29 AM
Bruce,
could you share your config and a small explanation of how the servers and ACE are connected.
Gilles.
05-23-2007 12:14 AM
Here's the relevant config, IPs change to protect the innocent.
probe ftp FTP_DL
description FTP Probe
expect status 220 220
rserver host HTTPDL_01
ip address 10.2.200.21
inservice
rserver host HTTPDL_02
ip address 10.2.200.22
inservice
serverfarm host Download_FTP
probe FTP_DL
rserver HTTPDL_01
inservice
rserver HTTPDL_02
inservice
sticky ip-netmask 255.255.255.255 address both FTP_DL
timeout 10
replicate sticky
serverfarm Download_FTP
class-map match-any FTP_DL
3 match virtual-address A.A.A.A any
policy-map type loadbalance first-match FTP_DL
class class-default
sticky-serverfarm FTP_DL
policy-map multi-match FTP_Download
class FTP_DL
loadbalance vip inservice
loadbalance policy FTP_DL
interface vlan 200
description Back End Connection
ip address 10.2.200.2 255.255.255.0
alias 10.2.200.1 255.255.255.0
peer ip address 10.2.200.3 255.255.255.0
no normalization
service-policy input ICMP_ALLOW_POLICY
no shutdown
interface vlan 300
description ACE to Firewall
ip address 10.3.100.252 255.255.255.0
alias 10.3.100.254 255.255.255.0
peer ip address 10.3.100.253 255.255.255.0
no normalization
service-policy input FTP_Download
no shutdown
There is an active/passive cluster of firewalls in front of the ACE and all the VIPs are Public IPs from our class C range which are routed through from the firewalls.
The vlan300 interface on the ACE is in a transport VLAN with the back end FW interfaces. The vlan200 interface is on the same VLAN as the rservers.
If I change the Class map to
match virtual address A.A.A.A tcp eq ftp
I see the data connections being bounced on the inside interface on the firewall as they are not matched to the VIP.
05-24-2007 03:42 AM
Have you tried to apply ftp inspection to the "policy-map multi-match FTP_Download".
Checking the ace security guide the info on "inspect ftp" is following.
---
inspect
ftp?Enables File Transfer Protocol (FTP) inspection. The ACE inspects FTP packets, translates address and port embedded in the payload, and opens up secondary channel for data.
---
This could be related to your problem as with icmp you need inspection/fixup to make it work properly from the rservers.
Have a look at...
Roble
05-25-2007 01:37 AM
I tried adding the 'inspect ftp' to the policy and it prevented any data connections from being made?
This one has got me a bit confused. I can set-up the VIP to allow any traffic and manually configure the FTP servers to fixup the port command but I'd really like an ACE contained solution.
Any ideas anyone?
12-03-2007 01:50 PM
I just went through this issue myself.
When you're locking down the class map for ftp to port 21, you're likely breaking passive data communication because ports 1024-65535 are not open, not because of a VIP mismatch. Passive FTP will negotiate a port in this range for the data channel. Once I opened these ports in the class map and enabled 'inspect ftp' in the policy map, my problem was solved.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: