CSS 11501 ftp server setup problem using non-standard port

bau · ‎12-13-2011

Dear Expert,

we would like to setup FTP server over CSS where our member sever use non-std-port to open both control/data channel (i.e. 6370 as ctrl and 6369 as data this case.) but seems we only get Passive mode FTP mode work only but not for Active mode FTP case for data channel establishement for server back to client...is there any professional advise can help on this case...? here is our setup info FYI

# sh ver

Version: sg0820501 (08.20.5.01)

Flash (Locked): 08.10.1.06

Flash (Operational): 08.20.5.01

Type: PRIMARY

Licensed Cmd Set(s): Standard Feature Set

Secure Management

CVDM Version: cvdm-css-1.0_K9

!*************** Global

ftp data-channel-timeout 10

ftp non-standard-ports

!************************** SERVICE **************************

service ftp_ftpgtw

keepalive maxfailure 2

keepalive frequency 15

keepalive retryperiod 2

keepalive type tcp

ip address 192.168.52.170

protocol tcp

keepalive port 6370

port 6370

active

# sh run group drfusegtwftp_grp

!*************************** GROUP ***************************

group gtwftp_grp

vip address 192.168.52.28

add service ftp_ftpgtw

active

!******************************************************

content ftp_gtwpkg-ftpgtw

add service ftp_ftpgtw

vip address 192.168.52.28

port 21

protocol tcp

application ftp-control

active

Daniel Arrondo Ostiz · ‎12-14-2011

Good morning,

At first sight, I don't see anything wrong with your configuration, so I would recommend you to take simulatenous traffic captures on both sides of the CSS while doing a test connection. This should allow us to see what is really happening with these failed connections.

Regards

Daniel

bau · ‎12-15-2011

Thanks for your confirmation on no prob found in config level 1st..:P..as to save us a lot of time in isolating problem at this level.

What we can notice is seems the data port connection is fail to open for server back to client....for our general sense..... the flow expected should be:

TCP session A -- Client:1234 --> VIP:21 --> member svr:6370

TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 6379 [on demand generated between server/client]

but we can only see session B fail to setup when client side access VIP site on CSS..even we try to put the most standard case as below

TCP session A -- Client:1234 --> VIP:21 --> member svr:21

TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 20

we still unable to make the Active mode FTP access work either...hence we got no idea on how CSS handle FTP access when it involve services over multiple tcp ports..

and from CSS xlate view...the problem is we can only see what NAT IP that used in CSS connect to client...but no way to confirm for which port for VIP using outgoing to client. neither it is dropped by CSS..nor it is never setup from VIP to Client side.

Daniel Arrondo Ostiz · ‎12-15-2011

Good morning

and from CSS xlate view...the problem is we can only see what NAT IP that used in CSS connect to client...but no way to confirm for which port for VIP using outgoing to client. neither it is dropped by CSS..nor it is never setup from VIP to Client side.

This is why I suggested doing traffic captures on both sides. It's the best way to show what's really going on