cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
0
Helpful
21
Replies

FTP Head Ache (Multiple ADSL lines)

l33h3lluk
Level 1
Level 1

Hi,

I'm hoping someone will be able to help me with a solution to my problem.

I have a CISCO 2811 running IOS 12.4 and 4 ADSL lines unfortunately not bonded so have seperate public IP addresses. NAT and CEF as been setup so that traffic is pretty much balanced over all 4 lines.

The problem is FTP, connecting to a server using standard ports is either very slow to connect or times out when trying to connnect for "data". I have tried shuttind down all but one interface and it works fine, as you bring up the interfaces the delay gets bigger. I suspect the problem is that sometimes the data channel traffic is getting sent down another line and therefore has a different IP address which means it gets blocked by the FTP service because it hasnt been authenticated. I may be wrong though.

I can't work out how to resolve the problem. I thought of an alternative way trying to force all FTP trafic down one line which isn't ideal but would do as a temporarly work around, but I cant get it to work.

Basically what I am doing is creating two ACL's like so

ip nat inside source route-rmd0 interface Dialer0 overload

ip nat inside source route-rmd1 interface Dialer1 overload

ip nat inside source route-rmd2 interface Dialer2 overload

ip nat inside source route-rmd3 interface Dialer3 overload

!

.....

.....

!

access-list 115 deny tcp any any eq ftp

access-list 115 deny tcp any any eq ftp-data

access-list 115 permit ip any any

access-list 6 permit 192.168.1.0 0.0.0.255

route-map rmd3 permit 10

match ip address 6

match interface Dialer3

!

route-map rmd2 permit 10

match ip address 115

match interface Dialer2

!

route-map rmd1 permit 10

match ip address 115

match interface Dialer1

!

route-map rmd0 permit 10

match ip address 115

match interface Dialer0

!

But this doesn't seem to resolve the problem either.

Anyone got any bright ideas?

21 Replies 21

Yea I have been using Wireshark which replaces Ethereal although its not really told me alot that I don't already know.

I had a look at the NBAR stuff but couldn't see anyway to use it how I need to. You can't seem to (well not obviously) be able to specify a policy that matches FTP traffic to use a certain interface.

Can't believe it can be this difficult to get working.

Lee.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Lee ,

>> I suspect the problem is that sometimes the data channel traffic is getting sent down another line and therefore has a different IP address which means it gets blocked by the FTP service because it hasnt been authenticated. I may be wrong though.

No, this cannot happen :

the FTP is sourced by using a single public address once that is chosen a NAT entry is created and also the data connection is constrained to use the same IP endpoints.

I hope you are not using any per packet load-balancing command in your router that could be a problem

Are you using also CBAC or other security measures that could affect the FTP sessions setup ?

Hope to help

Giuseppe

I had the same problem. Usind PBR on f0/0 fixed it but if dialer 3 is down then it doesn't work.

See from cisco doc..

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

[["Set Clauses-Defining the Route:

If the match clauses are satisfied, one of the following set clauses can be used to specify the criteria for forwarding packets through the router; they are evaluated in the order listed:

1 List of interfaces through which the packets can be routed-If more than one interface is specified, then the first interface that is found to be up will be used for forwarding the packets."]]

dialer is always up (spoofing) and if it is down (atm down) packtets will still be sent to dialer 3. Any solution?

Hi Azharmirza,

No success so far.

In the end we have got a some Cisco Partner looking into it, although that was end of last weekend and still no resolution.

I spent over week trying to get my head around IOS but never really got no where. In response to giuslar, apparently can happen the engineer from company was watching traffic and the return would come in on a different dialer. We are using CEF which apparently should do load balancing per stream. *Shrugs*

Hello,

I solved this for my seup. I had exactly the same setup as mentioned in the 1st post. I used a dirty hack using EEM.

As the ftp session open multiple flows it always goes through the 1st & then 2nd dialer and connection is reset.

I created a policy route-map ftp1 to match ftp traffic & force out via dialer 1 but also tracked dialer 1 state and if dailer 1 goes down, EEM will automatically change the cli config to set interface to dialer 2 (when dialer 1 is down). For this i created another route-map to set interface via dialer 2. For me it works... I also changed "ip cef load-sharing algorithm original"

If you require any more info please let me know.

Regards,

azhar.mirza@zen.co.uk

Hi azharmirza,

Could you post any examples of what changes are needed to get it working.

Thanks,

Lee.

Just an quick update. Updating IOS to 12.4(18) resolved the issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: