11-22-2004 11:52 AM
We have attempted to setup a CE (ACNS 5.2.1) to cache http and ftp traffic using WCCP transparent redirection. HTTP caching using the standard web-cache service appears to be working just fine. However, the FTP cache service 60 seems to have some problems. FTP connections from WinXP workstations seem to be fine using CoreFTP, IE and CuteFTP, but not using the native cli FTP client. FTP connections from Win2k workstations do not work from IE or the native ftp client, but mostly work from ftp clients that switch to passive mode. Clients do not have any proxy configurations setup, and I'd prefer to keep it that way if possible. Any suggestions, fixes, workarounds will be greatly appreciated. Relevant config below.
Thanks
************
ftp proxy anonymous-pswd bla@bla.com
ftp proxy incoming 80
ftp max-ttl days directory-listing 3 file 14
ftp reval-each-request all
ftp proxy active-mode enable
wccp ftp router-list-num 1
wccp version 2
11-23-2004 08:05 AM
Under IE on Win2k, if you go to Tools, Internet Options..., Advanced, and select 'Enable folder view for FTP sites' - does it now work using IE?
Sounds to me like there is a problem using Active mode. The portion of the ACNS config you provided is correct. Have you checked to see if some other device is blocking the data channel between the CE and the origin FTP server? You can also try forcing the CE to always use passive mode with the origin server with the following command:
no ftp proxy active-mode enable
Give that a shot, and post the results.
~Zach
11-23-2004 09:53 AM
Zach,
Thanks for the tip! It got me going in the right direction.
I started doing some testing with active vs. passive mode and this is what I found:
1) a passive mode ftp client works with all ftp servers that support passive mode connections
2) an active mode ftp client fails regardless of the 'ftp proxy active-mode' configuration.
So, since our CE is sitting outside of our NAT'ing firewall, I suspected our firewall is what was giving us grief, which I confirmed by exposing a client and testing. And, doing some research about the differences between active and passive modes, this kind of makes sense. However, what bothers me is that we can establish active mode ftp sessions just fine without the CE, so the firewall can handle that. Also, my understanding of the CE is that the ftp client establishes a FTP session with the CE's FTP server, and then the CE does its thing. So if the connection between the client and the CE is just like any other FTP session, does that mean the CE's FTP server can not handle NAT'ed sessions when in active mode, or is it that WCCP is causing a problem? Or am I missing a magic configuration setting? Keeping in mind that web-cache and passive FTP works fine through the CE, I suspect the problem is with the CE's implementation of the active mode FTP server.
Yes, I know the documentation says to put the CE inside the firewall, before NAT'ing, but in our situation, this is not an option.
Any thoughts?
Thanks,
Nathan
11-23-2004 12:17 PM
There are basically two (2) ftp sessions involved:
Client <--> CE
CE <--> Origin ftp server (assuming a cache miss)
The CE shouldn't care about Active mode unless the Active IP address in the PORT command isn't being translated. I'm assuming that you have fixup configured on your firewall (you are using a PIX firewall, right :) ) for ftp?
Do you have access to the firewall logs? Can you look for denies from the CE with a source port of 20?
Can you take a sniffer trace between the firewall, CE, and wccp router?
~Zach
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide