ACE Load balancing FTP connections.

bruce.arnott · ‎05-22-2007

I have my ACE blade (running A1(4d) ) currently set-up to static nat to an FTP server.

I have tried setting up a sticky SLB VIP for FTP across this server and an additional box but firewall in front of the ACE throws the connections.

It appears that the servers are responding directly to the clients when in SLB and so the control connection has the wrong IP (real vs. VIP)

How do I set this up so that it works?

bruce.arnott · ‎05-22-2007

Found the setting on the FTP server to set the PASV reply address to the VIP and all works now.

OK, scrub that, it only works because I set the class match to any. If it's set to FTP it doesn't match the data port opening.

It looks like FTP load balancing doesn't work just by matching FTP. Do I have something wrong?

Gilles Dufour · ‎05-22-2007

Bruce,

could you share your config and a small explanation of how the servers and ACE are connected.

Gilles.

bruce.arnott · ‎05-23-2007

Here's the relevant config, IPs change to protect the innocent.

probe ftp FTP_DL

description FTP Probe

expect status 220 220

rserver host HTTPDL_01

ip address 10.2.200.21

inservice

rserver host HTTPDL_02

ip address 10.2.200.22

inservice

serverfarm host Download_FTP

probe FTP_DL

rserver HTTPDL_01

inservice

rserver HTTPDL_02

inservice

sticky ip-netmask 255.255.255.255 address both FTP_DL

timeout 10

replicate sticky

serverfarm Download_FTP

class-map match-any FTP_DL

3 match virtual-address A.A.A.A any

policy-map type loadbalance first-match FTP_DL

class class-default

sticky-serverfarm FTP_DL

policy-map multi-match FTP_Download

class FTP_DL

loadbalance vip inservice

loadbalance policy FTP_DL

interface vlan 200

description Back End Connection

ip address 10.2.200.2 255.255.255.0

alias 10.2.200.1 255.255.255.0

peer ip address 10.2.200.3 255.255.255.0

no normalization

service-policy input ICMP_ALLOW_POLICY

no shutdown

interface vlan 300

description ACE to Firewall

ip address 10.3.100.252 255.255.255.0

alias 10.3.100.254 255.255.255.0

peer ip address 10.3.100.253 255.255.255.0

no normalization

service-policy input FTP_Download

no shutdown

There is an active/passive cluster of firewalls in front of the ACE and all the VIPs are Public IPs from our class C range which are routed through from the firewalls.

The vlan300 interface on the ACE is in a transport VLAN with the back end FW interfaces. The vlan200 interface is on the same VLAN as the rservers.

If I change the Class map to

match virtual address A.A.A.A tcp eq ftp

I see the data connections being bounced on the inside interface on the firewall as they are not matched to the VIP.

Roble Mumin · ‎05-24-2007

Have you tried to apply ftp inspection to the "policy-map multi-match FTP_Download".

Checking the ace security guide the info on "inspect ftp" is following.

---

inspect

ftp?Enables File Transfer Protocol (FTP) inspection. The ACE inspects FTP packets, translates address and port embedded in the payload, and opens up secondary channel for data.

---

This could be related to your problem as with icmp you need inspection/fixup to make it work properly from the rservers.

Have a look at...

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bc1.html#wp1180240

Roble

bruce.arnott · ‎05-25-2007

I tried adding the 'inspect ftp' to the policy and it prevented any data connections from being made?

This one has got me a bit confused. I can set-up the VIP to allow any traffic and manually configure the FTP servers to fixup the port command but I'd really like an ACE contained solution.

Any ideas anyone?

dustin.black · ‎12-03-2007

I just went through this issue myself.

When you're locking down the class map for ftp to port 21, you're likely breaking passive data communication because ports 1024-65535 are not open, not because of a VIP mismatch. Passive FTP will negotiate a port in this range for the data channel. Once I opened these ports in the class map and enabled 'inspect ftp' in the policy map, my problem was solved.