FTP Load Balancing on ACE 4710

Answered Question
May 26th, 2010

Hi,

I have two ACEs working in ROUTED-MODE. In the servers there are HTTP content and FTP content.

- The load balancing is working in correct form.

Now, I have a problem: The client wants to performs a FTP request to server in Internet from server belong to server farm configured in the ACE.

In simple words, now the server belonging to the farm will be the client for the FTP server in Internet. The client can connect to the Internet FTP, he enter his username and password, but when he want to transfer data (command as ls, get, put) the connection is closed.

- When the client makes the FTP comes with the VIP address 200.29.72.226 to the intenet FTP.

- I have a capture when is performing the command "ls" and the connection was closed: The ACE stated:


12:42:11.079794 00:08:74:4e:d4:67 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 10.3.2.1.1911 > 200.54.172.202.21: P [tcp sum ok] 37:58(21) ack 161 win 16400


12:42:11.079957 00:0b:fc:fe:1b:01 > 00:e0:b6:04:14:49, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum a77 (->57b)!) 200.29.72.226.39292 > 200.54.172.202.21: P [bad tcp cksum 7d15 (->4ce)!] 37:58(21) ack 161 win 16400


12:42:11.080088 00:e0:b6:04:14:49 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 200.54.172.202.21 > 200.29.72.226.39292: R [tcp sum ok] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]


12:42:11.079212 00:0b:fc:fe:1b:01 > 00:08:74:4e:d4:68, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum 57b (->a77)!) 200.54.172.202.21 > 10.3.2.1.1911: R [bad tcp cksum 4d2 (->7d19)!] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]

I atached a diagram of situation and actual configuration.

I appreciate your help

Thanks and regards,

Jaime.

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 6 years 6 months ago

The reason for the problem is that you do nat without doing inspect ftp.

Therefore the payload of the ftp control channel is not nated and still contain the internal server ip address.

Create a new class-map

class-map FTP

  match port tcp eq ftp

Then under your policy

policy-map multi-match POLICY

  class FTP

     inspect ftp

This should work.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dario.didio Thu, 05/27/2010 - 02:37

Hi,

it seems that your control-channel is working fine, but when you start using the data-channel, thinks go wrong.

I assume this is caused by the NAT.

Could you try to remove the pat parameter in the nat statement. This prevents that the tcp port is being translated.

interface vlan 46

nat-pool 1 200.29.72.226 200.29.72.226 netmask 255.255.255.255

Keep us informed.

HTH,

Dario

Correct Answer
Gilles Dufour Thu, 05/27/2010 - 06:26

The reason for the problem is that you do nat without doing inspect ftp.

Therefore the payload of the ftp control channel is not nated and still contain the internal server ip address.

Create a new class-map

class-map FTP

  match port tcp eq ftp

Then under your policy

policy-map multi-match POLICY

  class FTP

     inspect ftp

This should work.

Gilles.

Jaime Soto Vale... Thu, 05/27/2010 - 09:58

Thanks Gilles! 

I applied the commands you told me. I performed laboratory tests and it worked fine.

Then I apply in the ACE of client and the results were positive.

Thanks you very much again.

Jaime.





Actions

This Discussion