Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FTP connection in passive mode in ACE

HI,

I am unable to create passive mode FTP session on my ACE. My scenario is I have to connect the FTP servers through modems installed on outside network via GPRS network. My configuration for the same is as follows:

 

access-list PERMIT line 8 extended permit ip any any
access-list PERMIT line 16 extended permit icmp any any

============

probe tcp AMRAPPFTP
  port 21
  interval 4
  faildetect 2
  passdetect interval 4
  passdetect count 2
  receive 45
  connection term forced
  open 1

==================

rserver host AMRAPP3S1
  ip address 10.96.7.161
  inservice
rserver host AMRAPP3S2
  ip address 10.96.7.166
  inservice

 

===================

serverfarm host AMRAPP3
  description ZONE3
  probe AMRAPPFTP
  probe PORT80
  rserver AMRAPP3S1
    inservice
  rserver AMRAPP3S2
    inservice

 

=============================

sticky ip-netmask 255.255.255.255 address both ACEAMRAPP3-sticky
  timeout 5
  serverfarm AMRAPP3

 

=============================

class-map match-all L4_VIP_AMRAPP3FTPtest
  2 match virtual-address 10.96.7.85 tcp eq ftp

 

===========================

policy-map type loadbalance first-match L7_VIP_AMRAPP3
  class class-default
    sticky-serverfarm ACEAMRAPP3-sticky

 

===================================

policy-map multi-match L4_LB_COMMON_POLICY

 

class L4_VIP_AMRAPP3FTPtest
    loadbalance vip inservice
    loadbalance policy L7_VIP_AMRAPP3
    loadbalance vip icmp-reply
    inspect ftp 

==============================

interface vlan 2

  description APPLICATION SERVER
  ip address 10.96.7.129 255.255.255.128
  alias 10.96.7.131 255.255.255.128
  peer ip address 10.96.7.130 255.255.255.128

 

 

 access-group input PERMIT

 

service-policy input L4_LB_COMMON_POLICY

 

===============================

interface vlan 20
  description APPLICATION FIREWALL
  ip address 10.96.7.4 255.255.255.128
  alias 10.96.7.6 255.255.255.128
  peer ip address 10.96.7.5 255.255.255.128

 

 access-group input PERMIT

 

service-policy input L4_LB_COMMON_POLICY

 

================================

ip route 0.0.0.0 0.0.0.0 10.96.7.1

 

=========================

Here is the output I am getting while trying to get connect via modem IP : 172.20.66.139 , inside server port range : TCP 55500 - 55590

sh conn | in 172.20.66.139
1514769    1  in  TCP   20   172.20.66.139:0       10.96.7.85:28881      SYNSEEN
881418     2  in  TCP   20   172.20.66.139:55410   10.96.7.85:21         ESTAB
500123     2  out TCP   2    10.96.7.166:21        172.20.66.139:55410   ESTAB
1157506    2  in  TCP   20   172.20.66.139:0       10.96.7.85:28881      SYNSEEN

Further, as a routing section, I have routed the 172.20.0.0/21 subnet to 10.200.1.0 subnet which is gatewayed ( 10.200.1.1) on my Firewall and there this pool is NATed on 10.96.7.85 ( 10.200.1.15) 

Any help is appreciated.

 

 

 

 

 

 

5 REPLIES
Cisco Employee

Hi Anil,The configuration

Hi Anil,

The configuration looks fine here and if you look at these two lines of "show conn" output,

881418     2  in  TCP   20   172.20.66.139:55410   10.96.7.85:21         ESTAB
500123     2  out TCP   2    10.96.7.166:21        172.20.66.139:55410   ESTAB

The above shows that  control connection between FTP server and client is successful. But i don't see data channel being established here. In passive FTP client initiates the DATA connection. Also, i see you have applied the service policy on both VLAN's. You just need that on client side VLAN and not server side. Can we take a pcap on client itself and see what is going on?

Attaching a document for your reference.

Regards,

Kanwal

New Member

Hi Kanwal,Thanks for the

Hi Kanwal,

Thanks for the revert. please find the packet capture.

Regards,

Anil 

Cisco Employee

Hi Anil,Please tell me where

Hi Anil,

Please tell me where was this pcap taken and also send me in a format which i can open in wireshark. This is a txt file. I tried renaming but no luck.

 

Regards,

Kanwal

New Member

Hi Kanwal,This pcap is taken

Hi Kanwal,

This pcap is taken on ACE. further, I am sending you the wireshark logs at server side.

please check its frame 73

Regards,

Anil

Cisco Employee

Hi Anil,I see the packet#73

Hi Anil,

I see the packet#73 and it looks fine. I see server sending the port to client with it's own IP. Now due to "inspect FTP" ACE will look inside the packet and translate the server IP to VIP which in turn i guess would be natted on firewall etc and then goes to the client.

We shall have pcaps at front end as well as backend simultaneously to see what is going on. RST comes from ACE IP here in the backend. But it could be due to the fact that client sent the RST at the front end. Can you check on firewall if it is dropping any connection by any chance?

Regards,

Kanwal

396
Views
0
Helpful
5
Replies
CreatePlease to create content