11-22-2005 11:28 AM
Hi all!
I'm having some real issues getting Passive FTP to work through my CSS - the setup is a fairly normal one: 2 VLANS (ext and internal); a content group with the application ftp setting and a group specifying the service to control NATing. Active FTP works just fine which, I'm led to believe is the more difficult of the two to get working. With Passive, I see the control connection setup, but when the client goes to connect to the high data port (which we have forced to a single port - 3000) all communication ceases and we see this in a capture:
FTP: Resp. to Port 1679, '227 Entering Passive Mode (172,21,30,248,11,184)'
43 17.812500 LOCAL 000ED792F60C TCP Control Bits: ....S., len: 0, seq:1220116563-1220116564, ack: 0, win:65535, src: 1680 dst: 3000
44 17.812500 000ED792F60C LOCAL ICMP Destination Unreachable: 172.21.30.248 (See frame 43) VS_VIP LONNS02 IP
Can anybody tell me for certain that Passive FTP can work with a CSS? Nothing I'v read states that catagorically. Can you point me in the right direction with how it might be configured as I'm thinking that I have a NAT issue somewhere...
Many Thanks
Oli
11-23-2005 04:37 AM
what version ?
Can we get the config with the content rule and the group.
Gilles.
11-23-2005 09:12 AM
Hi! Version is 07.50.1.03.
Here's my config:
!*************************** GLOBAL ***************************
no restrict web-mgmt
console authentication secondary local
virtual authentication secondary local
username admin des-password zc1h3hbfccbaqazdccyetchbnawcohag superuser
logging buffer 5000
ftp-record vsftp1 172.21.30.235 ftpuser des-password eagh1hidzbuhxhre
ftp-record vsftp2 172.21.30.236 ftpuser des-password eagh1hidzbuhxhre
ip route 0.0.0.0 0.0.0.0 172.21.30.254 1
ip route 172.21.30.0 255.255.255.0 172.21.30.254 1
!************************* INTERFACE *************************
interface e1
description "DMZ"
interface e2
description "LONVSWEB01"
interface e4
description "LONVSWEB02"
!************************** CIRCUIT **************************
circuit VLAN1
description "Webservers"
ip address 172.21.30.249 255.255.255.0
!************************** SERVICE **************************
service LONVSWEB01
ip address 172.21.30.235
keepalive type tcp
active
service LONVSWEB02
keepalive type tcp
ip address 172.21.30.236
active
service vsftp1
ip address 172.21.30.235
active
service vsftp2
ip address 172.21.30.236
active
!*************************** OWNER ***************************
owner VS_VIP
content VS_FTPSERVERS
vip address 172.21.30.250
protocol tcp
application ftp-control
add service vsftp2
add service vsftp1
active
content VS_SMTPSERVERS
protocol tcp
port 25
advanced-balance sticky-srcip
vip address 172.21.30.250
add service LONVSWEB01
add service LONVSWEB02
active
content VS_SSL_TCP443
protocol tcp
port 443
add service LONVSWEB02
vip address 172.21.30.250
advanced-balance sticky-srcip
add service LONVSWEB01
active
content VS_WEBSERVERS
protocol tcp
port 80
add service LONVSWEB02
vip address 172.21.30.250
advanced-balance sticky-srcip
add service LONVSWEB01
active
!*************************** GROUP ***************************
group vsftp
vip address 172.21.30.250
add destination service vsftp2
active
11-24-2005 12:55 AM
Could you replace the line " add destination service vsftp2 " with "add service vsftp2" and also add the same line for the 2nd service.
Let me know if it works.
If not, could you capture a sniffer trace on client and server to see what is going on.
Thanks,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide