Re: ACE SM FTP PASV fails

David Williams · ‎04-28-2011

I have been trying to load balance ftp through the ACE SM. Active FTP works fine. Passive FTP fails every time and I cannot for the life of me figure out why. The context is routed and I have included the relevant config for the FTP farm. Can anyone advise?

serverfarm host 52-FTP
failaction purge
probe PING
rserver FTP1
    inservice

class-map match-all class-52-VIP-FTP
2 match virtual-address x.x.x.52 tcp eq ftp

policy-map type loadbalance first-match policy-52-LB
class class-default
    serverfarm 52-FTP

policy-map multi-match policy-inbound-vlan-665
class class-49-VIP
    loadbalance vip inservice
    loadbalance policy policy-49-LB
    loadbalance vip icmp-reply
class class-50-VIP
    loadbalance vip inservice
    loadbalance policy policy-50
    loadbalance vip icmp-reply
class class-52-VIP-FTP
    loadbalance vip inservice
    loadbalance policy policy-52-LB
    loadbalance vip icmp-reply
    inspect ftp

interface vlan 665
description inside
ip address 192.168.1.254 255.255.255.0
no normalization
access-group input any-allow
service-policy input policy-REMOTE-MGMT-ALLOW
service-policy input policy-inbound-vlan-665
no shutdown

amacuz · ‎05-02-2011

Hi David,

some questions:

1) is the passive FTP done with client on the same LAN of the server? Or indeed the client's requests in passive mode are routed through two interfaces?

2) what do you get with "show service-policy policy-inbound-vlan-665 class class-52-VIP-FTP" multiple times during the client's attemps?

Do you see drops?

3) try to do packet capture on the client first to see what the client gets from the server as socket to contact

Alessandro

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

stmccabe · ‎05-02-2011

David,

It appears you are implementing the ACE in one-arm mode, which will require source nat for client traffic unless your FTP servers have a DFGW of the ACE..

With that said, inorder to statefully load balance PASV FTP you will require some additional lines of configuration since the server will negotate with the client a random high port to connect on you need to create a match any vip (see in RED)

class-map match-any FTP-VIP
  2 match virtual-address 10.10.10.10 tcp eq ftp
class-map match-all FTP-NAT
  2 match virtual-address 10.10.10.10 any    <----required for the passive ftp data connection

policy-map type loadbalance first-match LB_FTP
  class class-default
    serverfarm REAL_SERVERS

policy-map multi-match VIPS
  class FTP-VIP
    loadbalance vip inservice
    loadbalance policy LB_FTP
    loadbalance vip icmp-reply active
    inspect ftp
  class FTP-NAT
    nat dynamic 10 vlan 172    <----- added in order to client nat both the ftp control and data channel

Note, if you add the nat statement you will need to define a nat pool 10 under your vlan 665 interface ( you can just PAT connections and use a single IP or PAT to the VIP address). For example:

interface vlan 665
description inside
ip address 192.168.1.254 255.255.255.0
no normalization
access-group input any-allow
service-policy input policy-REMOTE-MGMT-ALLOW
service-policy input policy-inbound-vlan-665

nat-pool 10 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat

no shutdown


HTH.

David Williams · ‎05-02-2011

Thanks for the input guys. I ended up opening a TAC case on this one. Evidently there were some code changes in A2(2.0) that require the inspect statements to be in their own class. This config took care of it.

class-map match-all VIP-FTP-INSPECT

2 match port tcp eq ftp

policy-map multi-match policy-inbound-vlan-665

class class-52-VIP-FTP

no inspect ftp <--------------------------------------------- removed ftp inspect and moved it down into its own class

class VIP-FTP-INSPECT

inspect ftp strict