10-06-2010 09:08 AM
Hi everyone,
i have a problem with active ftp (passive ftp works fine).
here is my conf :
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
rserver host ftp1
ip address 10.0.151.131
inservice
rserver host ftp2
ip address 10.0.151.132
inservice
serverfarm host ftp
transparent
failaction reassign
rserver ftp1
inservice
rserver ftp2
inservice
class-map match-any vip
2 match virtual-address X.X.X.X tcp eq ftp
policy-map multi-match LBPOL
class vip
loadbalance vip inservice
loadbalance policy lbpol
loadbalance vip icmp-reply active
inspect ftp
interface vlan 1000
description public-side
ip address Y.Y.Y.Y M.M.M.M
no normalization
no icmp-guard
access-group input ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input LBPOL
no shutdown
interface vlan 100
description private-side
ip address 10.0.99.160 255.255.0.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
on both hosts, i added X.X.X.X vip and the good rule/route with iproute2.
as i said at the beginning, passive ftp is ok. active is not.
while in active mode, i can connect to the ftp but any list/put/get fails.
any idea ?
MA
10-06-2010 03:52 PM
One thing I don't understand here is why do you have
serverfarm host ftp
transparent
With this in place the ACE will not rewrite the destination IP and the server will receive a packet destined to the VIP. This is not very common, but it can work. The rest of your config seems to be fine, except the missing lbpol policy.
Which sw version are you running?
10-07-2010 02:39 AM
tx for answering.
transparent is to prevent my system to work with NAT.
policy-map multi-match LBPOL
class vip
loadbalance vip inservice
loadbalance policy lbpol
loadbalance vip icmp-reply active
inspect ftp strict
system: Version A2(3.2) [build 3.0(0)A2(3.2)]
10-08-2010 01:46 AM
So your both servers are expecting traffic with destination IP X.X.X.X? That is what the transparent command will do.
And the part that is missing begine with the line
policy-map type loadbalance first-match lbpol
10-08-2010 06:40 AM
sorry, you are right :
policy-map type loadbalance first-match lbpol
class class-default
serverfarm ftp
10-08-2010 06:46 AM
So your both servers are expecting traffic with destination IP X.X.X.X? That is what the transparent command will do.
=> yes.
10-08-2010 08:11 AM
got it
interface vlan 100
description private-side
ip address 10.0.99.160 255.255.0.0
+ mac-sticky enable
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
anyway tx Ivan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: