Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1980
Views
0
Helpful
6
Replies

ACE FTP problem in active mode

marco.becu
Level 1
Level 1

‎10-06-2010 09:08 AM

Hi everyone,

i have a problem with active ftp (passive ftp works fine).

here is my conf :

access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any

rserver host ftp1
  ip address 10.0.151.131
  inservice
rserver host ftp2
  ip address 10.0.151.132
  inservice

serverfarm host ftp
  transparent
  failaction reassign
  rserver ftp1
    inservice
  rserver ftp2
    inservice

class-map match-any vip
  2 match virtual-address X.X.X.X tcp eq ftp

policy-map multi-match LBPOL
  class vip
    loadbalance vip inservice
    loadbalance policy lbpol
    loadbalance vip icmp-reply active
    inspect ftp

interface vlan 1000
  description public-side
  ip address Y.Y.Y.Y M.M.M.M
  no normalization
  no icmp-guard
  access-group input ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input LBPOL
  no shutdown
interface vlan 100
  description private-side
  ip address 10.0.99.160 255.255.0.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown

on both hosts, i added X.X.X.X vip and the good rule/route with iproute2.


as i said at the beginning, passive ftp is ok. active is not.

while in active mode, i can connect to the ftp but any list/put/get fails.

any idea ?

MA

Labels:
0 Helpful
6 Replies 6

Ivan Kovacevic
Cisco Employee
Cisco Employee

‎10-06-2010 03:52 PM

One thing I don't understand here is why do you have

serverfarm host ftp
  transparent

With this in place the ACE will not rewrite the destination IP and the server will receive a packet destined to the VIP. This is not very common, but it can work. The rest of your config seems to be fine, except the missing lbpol policy.

Which sw version are you running?

0 Helpful

marco.becu
Level 1
Level 1
In response to Ivan Kovacevic

‎10-07-2010 02:39 AM

tx for answering.

transparent is to prevent my system to work with NAT.

policy-map multi-match LBPOL
  class vip
    loadbalance vip inservice
    loadbalance policy lbpol
    loadbalance vip icmp-reply active
    inspect ftp strict

system:    Version A2(3.2) [build 3.0(0)A2(3.2)]

0 Helpful

Ivan Kovacevic
Cisco Employee
Cisco Employee
In response to marco.becu

‎10-08-2010 01:46 AM

So your both servers are expecting traffic with destination IP X.X.X.X? That is what the transparent command will do.

And the part that is missing begine with the line

policy-map type loadbalance first-match lbpol

0 Helpful

marco.becu
Level 1
Level 1
In response to Ivan Kovacevic

‎10-08-2010 06:40 AM

sorry, you are right :

policy-map type loadbalance first-match lbpol
  class class-default
    serverfarm ftp

0 Helpful

marco.becu
Level 1
Level 1
In response to Ivan Kovacevic

‎10-08-2010 06:46 AM

So your both servers are expecting traffic with destination IP X.X.X.X? That is what the transparent command will do.

=> yes.

0 Helpful

marco.becu
Level 1
Level 1
In response to marco.becu

‎10-08-2010 08:11 AM

got it

interface vlan 100
  description private-side
  ip address 10.0.99.160 255.255.0.0

+  mac-sticky enable
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown

anyway tx Ivan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents