05-12-2014 06:04 AM
HI,
I am unable to create passive mode FTP session on my ACE. My scenario is I have to connect the FTP servers through modems installed on outside network via GPRS network. My configuration for the same is as follows:
access-list PERMIT line 8 extended permit ip any any
access-list PERMIT line 16 extended permit icmp any any
============
probe tcp AMRAPPFTP
port 21
interval 4
faildetect 2
passdetect interval 4
passdetect count 2
receive 45
connection term forced
open 1
==================
rserver host AMRAPP3S1
ip address 10.96.7.161
inservice
rserver host AMRAPP3S2
ip address 10.96.7.166
inservice
===================
serverfarm host AMRAPP3
description ZONE3
probe AMRAPPFTP
probe PORT80
rserver AMRAPP3S1
inservice
rserver AMRAPP3S2
inservice
=============================
sticky ip-netmask 255.255.255.255 address both ACEAMRAPP3-sticky
timeout 5
serverfarm AMRAPP3
=============================
class-map match-all L4_VIP_AMRAPP3FTPtest
2 match virtual-address 10.96.7.85 tcp eq ftp
===========================
policy-map type loadbalance first-match L7_VIP_AMRAPP3
class class-default
sticky-serverfarm ACEAMRAPP3-sticky
===================================
policy-map multi-match L4_LB_COMMON_POLICY
class L4_VIP_AMRAPP3FTPtest
loadbalance vip inservice
loadbalance policy L7_VIP_AMRAPP3
loadbalance vip icmp-reply
inspect ftp
==============================
interface vlan 2
description APPLICATION SERVER
ip address 10.96.7.129 255.255.255.128
alias 10.96.7.131 255.255.255.128
peer ip address 10.96.7.130 255.255.255.128
access-group input PERMIT
service-policy input L4_LB_COMMON_POLICY
===============================
interface vlan 20
description APPLICATION FIREWALL
ip address 10.96.7.4 255.255.255.128
alias 10.96.7.6 255.255.255.128
peer ip address 10.96.7.5 255.255.255.128
access-group input PERMIT
service-policy input L4_LB_COMMON_POLICY
================================
ip route 0.0.0.0 0.0.0.0 10.96.7.1
=========================
Here is the output I am getting while trying to get connect via modem IP : 172.20.66.139 , inside server port range : TCP 55500 - 55590
sh conn | in 172.20.66.139
1514769 1 in TCP 20 172.20.66.139:0 10.96.7.85:28881 SYNSEEN
881418 2 in TCP 20 172.20.66.139:55410 10.96.7.85:21 ESTAB
500123 2 out TCP 2 10.96.7.166:21 172.20.66.139:55410 ESTAB
1157506 2 in TCP 20 172.20.66.139:0 10.96.7.85:28881 SYNSEEN
Further, as a routing section, I have routed the 172.20.0.0/21 subnet to 10.200.1.0 subnet which is gatewayed ( 10.200.1.1) on my Firewall and there this pool is NATed on 10.96.7.85 ( 10.200.1.15)
Any help is appreciated.
05-18-2014 07:05 AM
Hi Anil,
The configuration looks fine here and if you look at these two lines of "show conn" output,
881418 2 in TCP 20 172.20.66.139:55410 10.96.7.85:21 ESTAB
500123 2 out TCP 2 10.96.7.166:21 172.20.66.139:55410 ESTAB
The above shows that control connection between FTP server and client is successful. But i don't see data channel being established here. In passive FTP client initiates the DATA connection. Also, i see you have applied the service policy on both VLAN's. You just need that on client side VLAN and not server side. Can we take a pcap on client itself and see what is going on?
Attaching a document for your reference.
Regards,
Kanwal
05-21-2014 06:07 AM
05-21-2014 07:26 AM
Hi Anil,
Please tell me where was this pcap taken and also send me in a format which i can open in wireshark. This is a txt file. I tried renaming but no luck.
Regards,
Kanwal
05-26-2014 01:59 AM
05-28-2014 05:49 AM
Hi Anil,
I see the packet#73 and it looks fine. I see server sending the port to client with it's own IP. Now due to "inspect FTP" ACE will look inside the packet and translate the server IP to VIP which in turn i guess would be natted on firewall etc and then goes to the client.
We shall have pcaps at front end as well as backend simultaneously to see what is going on. RST comes from ACE IP here in the backend. But it could be due to the fact that client sent the RST at the front end. Can you check on firewall if it is dropping any connection by any chance?
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide