FTP Transfer failure across 2 load-balanced links

falain · ‎09-05-2009

Hello,A 1841 with 4 port Hwic is connected to 2 public internet Adsl lines through 2 small adsl routers (achieving inside to public IP DNat).

The 2 Dsl links have equal cost (static routes) and can load-balance traffic, protect against link failure with IP SLA route tracking.

Users are connected to inside interface F0/0.

1841 is using 12.4(24)T1 last Firewall IOS with IP inspect rules

When users try to up or download to an outside FTP server, FTP Transfer aborts (mainly on LIST command).

If I disable one of the dsl links (ie giving a higher cost to static route), FTP works.

I also tested successfully with a FTP route map PBR to force FTP to go through the same link.

FTP is using PASV mode.

When it aborts, I always see a %FW-DROP-PKT (due to syn pkt) in log.

With debugging, I found that FTP Control and FTP Data connections frequently don't always use the same path.

But I thought that IP cef was using defaultly a per-destination load-sharing.

So, for a FTP transfer, Data and Control connection should go through the same path.

With FTP PBR, I loose the ability to recover dsl Line failure (fixed static route).

It would be better that FTP could change its path even when one Dsl Line fails.

Below is relevant config :

interface FastEthernet0/0

ip address a.a.a.a 255.255.255.0

ip access-group Acl_Inside in

ip wccp web-cache redirect in

ip inspect Cbac out

ip nat inside

ip virtual-reassembly

ip policy route-map Rm_Ftp

duplex auto

speed auto

!

track 3 ip sla 303 reachability

delay down 10 up 10

!

track 4 ip sla 304 reachability

delay down 10 up 10

!

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.0

ip access-group Acl_Inside in

ip wccp web-cache redirect in

ip inspect Cbac out

ip nat inside

ip virtual-reassembly

ip policy route-map Rm_Ftp

!

interface FastEthernet0/0/0

description ** modem Adsl 1 **

switchport access vlan 303

!

interface FastEthernet0/0/1

description ** modem Adsl 2 **

switchport access vlan 304

!

interface Vlan303

description ** Adsl 1 **

ip address 10.10.7.1 255.255.255.0

ip access-group Acl_Outside in

ip inspect Cbac out

ip virtual-reassembly max-reassemblies 256

!

interface Vlan304

description ** Adsl 2 **

ip address 10.10.8.1 255.255.255.0

ip access-group Acl_Outside in

ip inspect Cbac out

ip virtual-reassembly max-reassemblies 256

!

ip route 0.0.0.0 0.0.0.0 10.10.7.254 track 3

ip route 0.0.0.0 0.0.0.0 10.10.8.254 track 4

ip route 10.10.7.254 255.255.255.255 FastEthernet0/0/0

ip route 10.10.8.254 255.255.255.255 FastEthernet0/0/1

ip route 193.253.xx.xxx 255.255.255.255 10.10.8.254

ip route 193.253.yy.yyy 255.255.255.255 10.10.7.254

!

route-map Rm_Ftp permit 10

match ip address Acl_Rm_Ftp

set ip next-hop 10.10.7.254

set interface FastEthernet0/0/0

!

ip sla 303

icmp-echo 193.253.xx.xxx

threshold 1000

ip sla schedule 303 life forever start-time now

ip sla 304

icmp-echo 193.253.yy.yyy

threshold 1000

ip sla schedule 304 life forever start-time now

!

route-map Rm_Ftp permit 10

match ip address Acl_Rm_Ftp

set ip next-hop 10.10.7.254

set interface FastEthernet0/0/0

!

Mohamed Sobair · ‎09-05-2009

Hi Fremont,

Its indeed correct that the default CEF loadbalancing is per destination, however, from your describtion it seems the packet arives out of sequence at the destination which results in terminating FTP connection.

I would first ensure that Per packet loadbalancing is not in use. If the problem still exist, then following is a suggestion that would help you achieve what you are looking for:

1- Apply PBR for the FTP connection using the (verify-reachability) Object tracking to both nexthops (10.10.7.254 & 10.10.8.254).

2- This would ensure the FTP connection uses a single path but would be routed to the second path whenever the first path fails.

3- However, the above wont allow you to have FTP traffic loadbalance across equal paths but would ensure redundancy.

HTH

Mohamed

falain · ‎09-06-2009

hello Mohamed,

Thanks a lot for your answer.

I agree with you that FTP route map is not a kind solution.

But I tried many IP CEF debug commands without clear explaination on what happens.

And I don't know where I can find

Thank you also for learning me about a tracking object on PBR

I will experiment it with something like:

route-map Rm_FTP

set ip next-hop verify-availability 10.10.7.254 1 track 303

set ip next-hop verify-availability 10.10.8.254 1 track 4

Best regards

Alain

nsn-amagruder · ‎09-07-2009

What protocols are you inspecting?

Have you tried just using ip inspect in on the inside interface and removing ip inspect out on the adsl interfaces?

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

falain · ‎09-07-2009

Hello,

here is my 1841 ip inspect config:

ip cef

ip inspect log drop-pkt

ip inspect max-incomplete high 2000

ip inspect max-incomplete low 1999

ip inspect one-minute high 4000

ip inspect one-minute low 3999

ip inspect hashtable-size 8192

ip inspect tcp window-scale-enforcement loose

ip inspect tcp max-incomplete host 50 block-time 0

ip inspect tcp reassembly alarm on

ip inspect name Cbac pop3

ip inspect name Cbac pptp

ip inspect name Cbac tcp router-traffic

ip inspect name Cbac udp router-traffic

ip inspect name Cbac icmp router-traffic

ip inspect name Cbac http java-list 10

ip inspect name Cbac esmtp

ip inspect name Cbac ftp

...track 3 ip sla 303 reachability

delay down 10 up 10

!

track 4 ip sla 304 reachability

delay down 10 up 10

!

interface FastEthernet0/0

ip address 255.255.255.0

ip access-group Acl_Inside in

ip wccp web-cache redirect in

ip inspect Cbac out

ip nat inside

ip virtual-reassembly

ip policy route-map Rm_Ftp

!

interface FastEthernet0/1

ip address 255.255.255.0

ip access-group Acl_DmzProxy in

ip helper-address

ip inspect Cbac out

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0/0

description ** Adsl rtr 1 **

switchport access vlan 303

!

interface FastEthernet0/0/1

description ** Adsl rtr 2 **

switchport access vlan 304

!

interface Vlan303

description ** Adsl 1 **

ip address 255.255.255.0

ip access-group Acl_Outside in

ip inspect Cbac out

ip virtual-reassembly max-reassemblies 256

!

interface Vlan304

description ** Adsl 2 **

ip address 255.255.255.0

ip access-group Acl_Outside in

ip inspect Cbac out

ip virtual-reassembly max-reassemblies 256

!

router eigrp 1

redistribute connected

passive-interface default

no passive-interface FastEthernet0/0

network 0.0.0.255

distribute-list Acl_Eigrp out

auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 track 3

ip route 0.0.0.0 0.0.0.0 track 4

ip route 255.255.255.255 FastEthernet0/0/0

ip route 255.255.255.255 FastEthernet0/0/1

ip route 255.255.255.255

ip sla 303

icmp-echo

threshold 1000

ip sla schedule 303 life forever start-time now

ip sla 304

icmp-echo

threshold 1000

ip sla schedule 304 life forever start-time now

!

route-map Rm_Ftp permit 10

match ip address Acl_Rm_Ftp

set ip next-hop verify-availability 1 track 3

set ip next-hop verify-availability 2 track 4

set interface FastEthernet0/0/0

On intfs, I always use :

- ip access-group in

- ip inspect name Cbac out

in order to

filter incoming traffic

allow returning traffic

so, if FTP client's traffic is allowed to come in inside intf, answers from external FTP server are allowed to come back on outside adsl intfs.

Best regards,

Alain