Solved: FTP Load Balancing on ACE 4710

Jaime Soto Valenzuela · ‎05-26-2010

Hi,

I have two ACEs working in ROUTED-MODE. In the servers there are HTTP content and FTP content.

- The load balancing is working in correct form.

Now, I have a problem: The client wants to performs a FTP request to server in Internet from server belong to server farm configured in the ACE.

In simple words, now the server belonging to the farm will be the client for the FTP server in Internet. The client can connect to the Internet FTP, he enter his username and password, but when he want to transfer data (command as ls, get, put) the connection is closed.

- When the client makes the FTP comes with the VIP address 200.29.72.226 to the intenet FTP.

- I have a capture when is performing the command "ls" and the connection was closed: The ACE stated:

12:42:11.079794 00:08:74:4e:d4:67 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 10.3.2.1.1911 > 200.54.172.202.21: P [tcp sum ok] 37:58(21) ack 161 win 16400

12:42:11.079957 00:0b:fc:fe:1b:01 > 00:e0:b6:04:14:49, ethertype 802.1Q (0x8100), length 79: vlan 2, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum a77 (->57b)!) 200.29.72.226.39292 > 200.54.172.202.21: P [bad tcp cksum 7d15 (->4ce)!] 37:58(21) ack 161 win 16400

12:42:11.080088 00:e0:b6:04:14:49 > 00:0b:fc:fe:1b:01, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61) 200.54.172.202.21 > 200.29.72.226.39292: R [tcp sum ok] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]

12:42:11.079212 00:0b:fc:fe:1b:01 > 00:08:74:4e:d4:68, ethertype 802.1Q (0x8100), length 79: vlan 46, p 0, ethertype IPv4, IP (tos 0x0, ttl 128, id 28479, offset 0, flags [DF], length: 61, bad cksum 57b (->a77)!) 200.54.172.202.21 > 10.3.2.1.1911: R [bad tcp cksum 4d2 (->7d19)!] 161:182(21) ack 37 win 16400 [RST PORT 10,3,2,1,7,191\015\012]

I atached a diagram of situation and actual configuration.

I appreciate your help

Thanks and regards,

Jaime.

Gilles Dufour · ‎05-27-2010

The reason for the problem is that you do nat without doing inspect ftp.

Therefore the payload of the ftp control channel is not nated and still contain the internal server ip address.

Create a new class-map

class-map FTP

match port tcp eq ftp

Then under your policy

policy-map multi-match POLICY

class FTP

inspect ftp

This should work.

Gilles.

View solution in original post

dario.didio · ‎05-27-2010

Hi,

it seems that your control-channel is working fine, but when you start using the data-channel, thinks go wrong.

I assume this is caused by the NAT.

Could you try to remove the pat parameter in the nat statement. This prevents that the tcp port is being translated.

interface vlan 46

nat-pool 1 200.29.72.226 200.29.72.226 netmask 255.255.255.255

Keep us informed.

HTH,

Dario

Gilles Dufour · ‎05-27-2010