07-22-2008 04:06 PM
Hi!
Is it possible to loadbalance ftps with ACE?
I have an ACE loadbalancing to a pool of ftps servers. I configured the ACE to ip source stickiness (to ensure data and control channel consistency) and VIP without any port information. However I can't get it to work... The control channel is established but the data channel isn't.
Am I forgeting something? Does anyone have a sample configuration to share?
Thank you.
07-22-2008 04:13 PM
FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
Syed Iftekhar Ahmed
07-23-2008 01:48 AM
Hi Syed,
Can you please eleaborate your answer?
I believe that FTPS is not supported natively in the sense that there is no "inspect" command.
However it should be possible to circumvent this by doing some kind of configuration without any port information and with source ip stickiness in order to maintain data/control channel consistency...
Is this true?
Thank you
07-23-2008 02:06 AM
Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
In case of FTP ACE can get this info about data channel from control channel.
Syed
07-23-2008 03:51 AM
Yes, however, I do not give any information about the port when I configure the class-map. Also, I do not configure the ACE to inspect the ftps traffic.
Perhaps it is clearer if I post the configuration:
probe tcp KPalive_use1Transfer_bck
port 21
interval 30
passdetect count 1
probe tcp KPalive_use1Transfer_frt
port 21
interval 30
passdetect count 1
rserver host a1use1ft01_bck
ip address 10.11.66.11
inservice
rserver host a1use1ft01_frt
ip address 10.11.65.11
inservice
rserver host a1use1ft02_bck
ip address 10.11.66.12
inservice
rserver host a1use1ft02_frt
ip address 10.11.65.12
inservice
serverfarm host SRVfarm_use1Transfer_bck
predictor leastconns
probe KPalive_use1Transfer_bck
rserver a1use1ft01_bck
inservice
rserver a1use1ft02_bck
serverfarm host SRVfarm_use1Transfer_frt
predictor leastconns
probe KPalive_use1Transfer_frt
rserver a1use1ft01_frt
inservice
rserver a1use1ft02_frt
sticky ip-netmask 255.255.255.0 address source STgrp_use1Transfer_frt
timeout 720
replicate sticky
serverfarm SRVfarm_use1Transfer_frt
sticky ip-netmask 255.255.255.0 address source STgrp_use1Transfer_bck
timeout 720
replicate sticky
serverfarm SRVfarm_use1Transfer_bck
class-map match-all CLA4_use1Transfer_bck
2 match virtual-address 10.11.71.185 any
class-map match-all CLA4_use1Transfer_frt
2 match virtual-address 10.11.70.185 tcp any
class-map type management match-any remote_access
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match POL7_use1Transfer_bck
class class-default
sticky-serverfarm STgrp_use1Transfer_bck
policy-map type loadbalance first-match POL7_use1Transfer_frt
class class-default
sticky-serverfarm STgrp_use1Transfer_frt
policy-map multi-match POL4_use1Transfer_bck
class CLA4_use1Transfer_bck
loadbalance vip inservice
loadbalance policy POL7_use1Transfer_bck
loadbalance vip icmp-reply active
policy-map multi-match POL4_use1Transfer_frt
class CLA4_use1Transfer_frt
loadbalance vip inservice
loadbalance policy POL7_use1Transfer_frt
loadbalance vip icmp-reply active
interface vlan 1065
description internal
ip address 10.11.65.152 255.255.255.0
no icmp-guard
access-group input PERMIT_ALL
access-group output PERMIT_ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 1066
description internal
ip address 10.11.66.152 255.255.255.0
no icmp-guard
access-group input PERMIT_ALL
access-group output PERMIT_ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 1070
description external
ip address 10.11.70.152 255.255.255.0
no icmp-guard
access-group input PERMIT_ALL
access-group output PERMIT_ALL
service-policy input remote_mgmt_allow_policy
service-policy input POL4_use1Transfer_frt
no shutdown
interface vlan 1071
description external
ip address 10.11.71.152 255.255.255.0
no icmp-guard
access-group input PERMIT_ALL
access-group output PERMIT_ALL
service-policy input remote_mgmt_allow_policy
service-policy input POL4_use1Transfer_bck
no shutdown
ip route 0.0.0.0 0.0.0.0 10.11.70.254
ip route 10.11.50.0 255.255.255.0 10.11.71.254
ip route 10.11.113.0 255.255.255.0 10.11.71.254
Thank you
07-23-2008 02:26 PM
In your case SFTP client will open control channel to VIP 10.11.71.185. ACE changes the address to 10.11.66.11 (real server). The real server sends PASV asking client to use ip:10.11.66.11, port:xyz. Unlike FTP this packet is encrypted. Since ACe cannot see this info, it cannot change the 10.11.66.11 to 10.11.71.185 (Vip)in the server response to client.
Syed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: