Passive FTP through a CSS 11500

spulley · ‎11-22-2005

Hi all!

I'm having some real issues getting Passive FTP to work through my CSS - the setup is a fairly normal one: 2 VLANS (ext and internal); a content group with the application ftp setting and a group specifying the service to control NATing. Active FTP works just fine which, I'm led to believe is the more difficult of the two to get working. With Passive, I see the control connection setup, but when the client goes to connect to the high data port (which we have forced to a single port - 3000) all communication ceases and we see this in a capture:

FTP: Resp. to Port 1679, '227 Entering Passive Mode (172,21,30,248,11,184)'

43 17.812500 LOCAL 000ED792F60C TCP Control Bits: ....S., len: 0, seq:1220116563-1220116564, ack: 0, win:65535, src: 1680 dst: 3000

44 17.812500 000ED792F60C LOCAL ICMP Destination Unreachable: 172.21.30.248 (See frame 43) VS_VIP LONNS02 IP

Can anybody tell me for certain that Passive FTP can work with a CSS? Nothing I'v read states that catagorically. Can you point me in the right direction with how it might be configured as I'm thinking that I have a NAT issue somewhere...

Many Thanks

Oli

Gilles Dufour · ‎11-23-2005

what version ?

Can we get the config with the content rule and the group.

Gilles.

spulley · ‎11-23-2005

Hi! Version is 07.50.1.03.

Here's my config:

!*************************** GLOBAL ***************************

no restrict web-mgmt

console authentication secondary local

virtual authentication secondary local

username admin des-password zc1h3hbfccbaqazdccyetchbnawcohag superuser

logging buffer 5000

ftp-record vsftp1 172.21.30.235 ftpuser des-password eagh1hidzbuhxhre

ftp-record vsftp2 172.21.30.236 ftpuser des-password eagh1hidzbuhxhre

ip route 0.0.0.0 0.0.0.0 172.21.30.254 1

ip route 172.21.30.0 255.255.255.0 172.21.30.254 1

!************************* INTERFACE *************************

interface e1

description "DMZ"

interface e2

description "LONVSWEB01"

interface e4

description "LONVSWEB02"

!************************** CIRCUIT **************************

circuit VLAN1

description "Webservers"

ip address 172.21.30.249 255.255.255.0

!************************** SERVICE **************************

service LONVSWEB01

ip address 172.21.30.235

keepalive type tcp

active

service LONVSWEB02

keepalive type tcp

ip address 172.21.30.236

active

service vsftp1

ip address 172.21.30.235

active

service vsftp2

ip address 172.21.30.236

active

!*************************** OWNER ***************************

owner VS_VIP

content VS_FTPSERVERS

vip address 172.21.30.250

protocol tcp

application ftp-control

add service vsftp2

add service vsftp1

active

content VS_SMTPSERVERS

protocol tcp

port 25

advanced-balance sticky-srcip

vip address 172.21.30.250

add service LONVSWEB01

add service LONVSWEB02

active

content VS_SSL_TCP443

protocol tcp

port 443

add service LONVSWEB02

vip address 172.21.30.250

advanced-balance sticky-srcip

add service LONVSWEB01

active

content VS_WEBSERVERS

protocol tcp

port 80

add service LONVSWEB02

vip address 172.21.30.250

advanced-balance sticky-srcip

add service LONVSWEB01

active

!*************************** GROUP ***************************

group vsftp

vip address 172.21.30.250

add destination service vsftp2

active

Gilles Dufour · ‎11-24-2005

Could you replace the line " add destination service vsftp2 " with "add service vsftp2" and also add the same line for the 2nd service.

Let me know if it works.

If not, could you capture a sniffer trace on client and server to see what is going on.

Thanks,

Gilles.