FTP Load Balancing on ACE 4710

Answered Question
May 26th, 2010
User Badges:

Hi,


I have two ACEs working in ROUTED-MODE. In the servers there are HTTP content and FTP content.


- The load balancing is working in correct form.


Now, I have a problem: The client wants to performs a FTP request to server in Internet from server belong to server farm configured in the ACE.


In simple words, now the server belonging to the farm will be the client for the FTP server in Internet. The client can connect to the Internet FTP, he enter his username and password, but when he want to transfer data (command as ls, get, put) the connection is closed.


- When the client makes the FTP comes with the VIP address 200.29.72.226 to the intenet FTP.

- I have a capture when is performing the command "ls" and the connection was closed: The ACE stated:



12:42:11.079794 00:08:74:4e:d4:67 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 10.3.2.1.1911 > 200.54.172.202.21: P [tcp sum ok] 37:58(21) ack 161 win 16400


12:42:11.079957 00:0b:fc:fe:1b:01 > 00:e0:b6:04:14:49, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum a77 (->57b)!) 200.29.72.226.39292 > 200.54.172.202.21: P [bad tcp cksum 7d15 (->4ce)!] 37:58(21) ack 161 win 16400


12:42:11.080088 00:e0:b6:04:14:49 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 200.54.172.202.21 > 200.29.72.226.39292: R [tcp sum ok] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]


12:42:11.079212 00:0b:fc:fe:1b:01 > 00:08:74:4e:d4:68, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum 57b (->a77)!) 200.54.172.202.21 > 10.3.2.1.1911: R [bad tcp cksum 4d2 (->7d19)!] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]


I atached a diagram of situation and actual configuration.


I appreciate your help


Thanks and regards,


Jaime.

Correct Answer by Gilles Dufour about 6 years 10 months ago

The reason for the problem is that you do nat without doing inspect ftp.

Therefore the payload of the ftp control channel is not nated and still contain the internal server ip address.


Create a new class-map


class-map FTP

  match port tcp eq ftp


Then under your policy


policy-map multi-match POLICY

  class FTP

     inspect ftp


This should work.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dario.didio Thu, 05/27/2010 - 02:37
User Badges:
  • Silver, 250 points or more

Hi,


it seems that your control-channel is working fine, but when you start using the data-channel, thinks go wrong.

I assume this is caused by the NAT.


Could you try to remove the pat parameter in the nat statement. This prevents that the tcp port is being translated.


interface vlan 46

nat-pool 1 200.29.72.226 200.29.72.226 netmask 255.255.255.255


Keep us informed.


HTH,

Dario

Correct Answer
Gilles Dufour Thu, 05/27/2010 - 06:26
User Badges:
  • Cisco Employee,

The reason for the problem is that you do nat without doing inspect ftp.

Therefore the payload of the ftp control channel is not nated and still contain the internal server ip address.


Create a new class-map


class-map FTP

  match port tcp eq ftp


Then under your policy


policy-map multi-match POLICY

  class FTP

     inspect ftp


This should work.


Gilles.

Jaime Soto Vale... Thu, 05/27/2010 - 09:58
User Badges:

Thanks Gilles! 


I applied the commands you told me. I performed laboratory tests and it worked fine.


Then I apply in the ACE of client and the results were positive.


Thanks you very much again.



Jaime.







Actions

This Discussion