cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
635
Views
0
Helpful
5
Replies

ACE - loadbance ftps

rbarroshpcsc
Level 1
Level 1

Hi!

Is it possible to loadbalance ftps with ACE?

I have an ACE loadbalancing to a pool of ftps servers. I configured the ACE to ip source stickiness (to ensure data and control channel consistency) and VIP without any port information. However I can't get it to work... The control channel is established but the data channel isn't.

Am I forgeting something? Does anyone have a sample configuration to share?

Thank you.

5 Replies 5

FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.

Syed Iftekhar Ahmed

Hi Syed,

Can you please eleaborate your answer?

I believe that FTPS is not supported natively in the sense that there is no "inspect" command.

However it should be possible to circumvent this by doing some kind of configuration without any port information and with source ip stickiness in order to maintain data/control channel consistency...

Is this true?

Thank you

Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.

In case of FTP ACE can get this info about data channel from control channel.

Syed

Yes, however, I do not give any information about the port when I configure the class-map. Also, I do not configure the ACE to inspect the ftps traffic.

Perhaps it is clearer if I post the configuration:

probe tcp KPalive_use1Transfer_bck

port 21

interval 30

passdetect count 1

probe tcp KPalive_use1Transfer_frt

port 21

interval 30

passdetect count 1

rserver host a1use1ft01_bck

ip address 10.11.66.11

inservice

rserver host a1use1ft01_frt

ip address 10.11.65.11

inservice

rserver host a1use1ft02_bck

ip address 10.11.66.12

inservice

rserver host a1use1ft02_frt

ip address 10.11.65.12

inservice

serverfarm host SRVfarm_use1Transfer_bck

predictor leastconns

probe KPalive_use1Transfer_bck

rserver a1use1ft01_bck

inservice

rserver a1use1ft02_bck

serverfarm host SRVfarm_use1Transfer_frt

predictor leastconns

probe KPalive_use1Transfer_frt

rserver a1use1ft01_frt

inservice

rserver a1use1ft02_frt

sticky ip-netmask 255.255.255.0 address source STgrp_use1Transfer_frt

timeout 720

replicate sticky

serverfarm SRVfarm_use1Transfer_frt

sticky ip-netmask 255.255.255.0 address source STgrp_use1Transfer_bck

timeout 720

replicate sticky

serverfarm SRVfarm_use1Transfer_bck

class-map match-all CLA4_use1Transfer_bck

2 match virtual-address 10.11.71.185 any

class-map match-all CLA4_use1Transfer_frt

2 match virtual-address 10.11.70.185 tcp any

class-map type management match-any remote_access

4 match protocol icmp any

5 match protocol telnet any

6 match protocol ssh any

7 match protocol http any

8 match protocol https any

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

policy-map type loadbalance first-match POL7_use1Transfer_bck

class class-default

sticky-serverfarm STgrp_use1Transfer_bck

policy-map type loadbalance first-match POL7_use1Transfer_frt

class class-default

sticky-serverfarm STgrp_use1Transfer_frt

policy-map multi-match POL4_use1Transfer_bck

class CLA4_use1Transfer_bck

loadbalance vip inservice

loadbalance policy POL7_use1Transfer_bck

loadbalance vip icmp-reply active

policy-map multi-match POL4_use1Transfer_frt

class CLA4_use1Transfer_frt

loadbalance vip inservice

loadbalance policy POL7_use1Transfer_frt

loadbalance vip icmp-reply active

interface vlan 1065

description internal

ip address 10.11.65.152 255.255.255.0

no icmp-guard

access-group input PERMIT_ALL

access-group output PERMIT_ALL

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 1066

description internal

ip address 10.11.66.152 255.255.255.0

no icmp-guard

access-group input PERMIT_ALL

access-group output PERMIT_ALL

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 1070

description external

ip address 10.11.70.152 255.255.255.0

no icmp-guard

access-group input PERMIT_ALL

access-group output PERMIT_ALL

service-policy input remote_mgmt_allow_policy

service-policy input POL4_use1Transfer_frt

no shutdown

interface vlan 1071

description external

ip address 10.11.71.152 255.255.255.0

no icmp-guard

access-group input PERMIT_ALL

access-group output PERMIT_ALL

service-policy input remote_mgmt_allow_policy

service-policy input POL4_use1Transfer_bck

no shutdown

ip route 0.0.0.0 0.0.0.0 10.11.70.254

ip route 10.11.50.0 255.255.255.0 10.11.71.254

ip route 10.11.113.0 255.255.255.0 10.11.71.254

Thank you

In your case SFTP client will open control channel to VIP 10.11.71.185. ACE changes the address to 10.11.66.11 (real server). The real server sends PASV asking client to use ip:10.11.66.11, port:xyz. Unlike FTP this packet is encrypted. Since ACe cannot see this info, it cannot change the 10.11.66.11 to 10.11.71.185 (Vip)in the server response to client.

Syed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: