FTPS with ACE 4710

Unanswered Question
Jul 10th, 2009


I need to configure ACE for load-balancing FTPS. And simply deploying L4 policies are not helping either. Configured the FTPS servers and both of them are working fine when accessed via physical IP, but do not work when accessed via the VIP.

if it is possible, a reference URL would really be a great help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinga.hcl Mon, 07/13/2009 - 03:13

Hi Rajiv,

Do you want to loadbalance SFTP ?

Or just have it pass through ??

Loadbalancing SFTP is difficult because it starts as regular FTP and switches over to SSL which ACE can't do and fails to understand.

you don't need anything to have it passthrough.

As long as you don't ask ACE to inspect the traffic, and assuming this traffic is permitted in your access-group, then there is nothing to do to have it go through.

I think your goal is to distribute inbound file deposits evenly across SFTP servers.

High-level Overview

Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers

I would like to tell you that SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.

So you are good.

On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.

FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.

Kindly find these examples for FTP load balance method in cisco ACE:

1. FTP serverfarm on Cisco ACE


2. FTP Load Balancing on ACE in Routed Mode Configuration Example


3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example


Kindly refer the folowing URL for Layer4 policies:








Hope it will help you furhter in configuring the ACE load balancing L4 policies.

Kindly rate

Sachin Garg


This Discussion