05-26-2010 05:08 PM
Hi,
I have two ACEs working in ROUTED-MODE. In the servers there are HTTP content and FTP content.
- The load balancing is working in correct form.
Now, I have a problem: The client wants to performs a FTP request to server in Internet from server belong to server farm configured in the ACE.
In simple words, now the server belonging to the farm will be the client for the FTP server in Internet. The client can connect to the Internet FTP, he enter his username and password, but when he want to transfer data (command as ls, get, put) the connection is closed.
- When the client makes the FTP comes with the VIP address 200.29.72.226 to the intenet FTP.
- I have a capture when is performing the command "ls" and the connection was closed: The ACE stated:
12:42:11.079794 00:08:74:4e:d4:67 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 10.3.2.1.1911 > 200.54.172.202.21: P [tcp sum ok] 37:58(21) ack 161 win 16400
12:42:11.079957 00:0b:fc:fe:1b:01 > 00:e0:b6:04:14:49, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum a77 (->57b)!) 200.29.72.226.39292 > 200.54.172.202.21: P [bad tcp cksum 7d15 (->4ce)!] 37:58(21) ack 161 win 16400
12:42:11.080088 00:e0:b6:04:14:49 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 200.54.172.202.21 > 200.29.72.226.39292: R [tcp sum ok] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]
12:42:11.079212 00:0b:fc:fe:1b:01 > 00:08:74:4e:d4:68, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum 57b (->a77)!) 200.54.172.202.21 > 10.3.2.1.1911: R [bad tcp cksum 4d2 (->7d19)!] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]
I atached a diagram of situation and actual configuration.
I appreciate your help
Thanks and regards,
Jaime.
Solved! Go to Solution.
05-27-2010 06:26 AM
The reason for the problem is that you do nat without doing inspect ftp.
Therefore the payload of the ftp control channel is not nated and still contain the internal server ip address.
Create a new class-map
class-map FTP
match port tcp eq ftp
Then under your policy
policy-map multi-match POLICY
class FTP
inspect ftp
This should work.
Gilles.
05-27-2010 02:37 AM
Hi,
it seems that your control-channel is working fine, but when you start using the data-channel, thinks go wrong.
I assume this is caused by the NAT.
Could you try to remove the pat parameter in the nat statement. This prevents that the tcp port is being translated.
interface vlan 46
nat-pool 1 200.29.72.226 200.29.72.226 netmask 255.255.255.255
Keep us informed.
HTH,
Dario
05-27-2010 06:26 AM
The reason for the problem is that you do nat without doing inspect ftp.
Therefore the payload of the ftp control channel is not nated and still contain the internal server ip address.
Create a new class-map
class-map FTP
match port tcp eq ftp
Then under your policy
policy-map multi-match POLICY
class FTP
inspect ftp
This should work.
Gilles.
05-27-2010 09:58 AM
Thanks Gilles!
I applied the commands you told me. I performed laboratory tests and it worked fine.
Then I apply in the ACE of client and the results were positive.
Thanks you very much again.
Jaime.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide