Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
4
Replies

FTP issue across ACE context

limtohsoon
Level 1
Level 1

‎01-27-2008 09:53 AM

Hi Sir,

I'm performing basic testing of ACE (ACE20-MOD-K9) on a Catalyst 6509 switch with redundant Supervisor Engine 720.

The switch runs Native IOS version 12.2(18)SXF12a. ACE software Version is 3.0(0)A1(4a).

I'm testing an ACE context. Its config is as attached.

Client IP : 172.16.20.100

VIP : 172.16.10.100 tcp eq ftp & 172.16.10.100 tcp eq ftp-data

Real Server : 172.16.30.100

The client can establish FTP connection to the VIP 172.16.10.100. But when it tries to execute the "ls" command, the files were not listed and I received the following error:

C:\>ftp 172.16.10.100

Connected to 172.16.10.100.

220 3Com 3CDaemon FTP Server Version 2.0

User (172.16.10.100:(none)): testuser

331 User name ok, need password

Password:

230 User logged in

ftp> ls

200 PORT command successful.

226 Closing data connection

ftp>

Also attached is the output of "show conn" on the ACE. It looks like Active FTP to me. Can you explain why the FTP data connection cannot be established successfully across the ACE context? What did I miss in my config? Since it is Active FTP, as far as I know the server initiates the data connection. Does the issue have anything to do with the fact that real servers can't initiate outbound connection unless NAT is configured?

Please help.

Thank you.

B.Rgds,

Lim TS

Labels:
Preview file
2 KB
Preview file
2 KB
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎01-28-2008 02:54 AM

Add the command 'inspect ftp' under your policy-map

policy-map multi-match lb-vip

class VIP-FTP-100

inspect ftp

Also, since you are in test mode, you should upgrade asap to A1(6.3)

Gilles.

0 Helpful

limtohsoon
Level 1
Level 1
In response to Gilles Dufour

‎01-28-2008 06:33 AM

Hi Gilles,

Thanks for your reply.

I will try the "inspect ftp" command and upgrade the ACE to 3.0(0)A1(6.3) asap.

By the way, do I need the command "match virtual-address 172.16.10.100 tcp eq ftp-data" under "class-map match-any VIP-FTP-100" ?

One more question: What's the difference in terms of L4-L7 load balancing functionality between a context in routed mode and a context in bridge mode?

Thank you.

B.Rgds,

Lim TS

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to limtohsoon

‎01-28-2008 11:18 AM

you don't need to match the ftp-data port traffic.

If you apply inspect ftp, the data port will be open automatically but this can only be done with inspect ftp configured.

There is no difference between bridge mode and routed mode.

Gilles.

0 Helpful

limtohsoon
Level 1
Level 1
In response to Gilles Dufour

‎01-29-2008 06:24 AM

Hi Gilles,

Thanks for your solution. It solves my issue.

I posted a question about the availability of any CSM to ACE conversion tool to which you replied. However I don't get what you mean. Can you kindly advise me again?

Thank you.

B.Rgds,

Lim TS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents