Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1050
Views
0
Helpful
2
Replies

ACE 4710 blocking FTP WLSD directory listing

Eric Hansen
Level 1
Level 1

‎04-12-2010 11:34 AM

Hello

I have a ACE 4710 setup in a test environment(and context) with 2 filezilla FTP servers on the back end and a Win7 laptop on the front end with a FTP client(s).  The ACE is setup to load balance by source(the requirement for our project).

When the laptop tries to FTP to the Filezilla FTP servers it connects, enters passive mode, and sends a WLSD command to get a directory listing, but never gets it.  If the Win7 laptop is put on the same vlan as the Filezilla FTP servers, behind the ACE, everything works fine.

As far as I can tell the ACE configs doesn’t have any sort of deny acl acting on this traffic.  *attached*  The FTP client always connects, its just the directory listing that doesn't seem to work.. and we need it to work for the app this is targeting.

Any help is greatly appreciated.

e-

Labels:
Preview file
27 KB
63283-context_config.txt.zip
0 Helpful
2 Replies 2

Sean Merrow
Level 4
Level 4

‎04-13-2010 10:27 AM

Hi Eric,

I would expect this to work since you have the 'any' keyword.  Try adding the 'inspect ftp' to your class as shown here.

HTH,

Sean

0 Helpful

Eric Hansen
Level 1
Level 1
In response to Sean Merrow

‎04-16-2010 07:31 AM

Yeah me too!

So after much packet capturing and hair pulling and general dismay, we(me, another admin, and a local var ccie) think this is a app layer issue.  We added the inspect command but it wouldnt take without a nat pool in place, so we added that.

We found a packet in the FTP client that tells the server the real IP of client to the server.  This is the only oddity that we can locate.  Of course I admit we arent using a ACE in the normal way an ACE would be used, we LB by source not destination.

I put telnet servers on my targets and they also communicate directly to the clients IP, but they layer 2 back to the ace first, whereas the FTP server doesnt.  We are still working on it to try and find a way to make FTP happy.

e-

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents