FTP proxy problems

wally1975 · ‎11-22-2004

We have attempted to setup a CE (ACNS 5.2.1) to cache http and ftp traffic using WCCP transparent redirection. HTTP caching using the standard web-cache service appears to be working just fine. However, the FTP cache service 60 seems to have some problems. FTP connections from WinXP workstations seem to be fine using CoreFTP, IE and CuteFTP, but not using the native cli FTP client. FTP connections from Win2k workstations do not work from IE or the native ftp client, but mostly work from ftp clients that switch to passive mode. Clients do not have any proxy configurations setup, and I'd prefer to keep it that way if possible. Any suggestions, fixes, workarounds will be greatly appreciated. Relevant config below.

Thanks

************

ftp proxy anonymous-pswd bla@bla.com

ftp proxy incoming 80

ftp max-ttl days directory-listing 3 file 14

ftp reval-each-request all

ftp proxy active-mode enable

wccp ftp router-list-num 1

wccp version 2

seilsz · ‎11-23-2004

Under IE on Win2k, if you go to Tools, Internet Options..., Advanced, and select 'Enable folder view for FTP sites' - does it now work using IE?

Sounds to me like there is a problem using Active mode. The portion of the ACNS config you provided is correct. Have you checked to see if some other device is blocking the data channel between the CE and the origin FTP server? You can also try forcing the CE to always use passive mode with the origin server with the following command:

no ftp proxy active-mode enable

Give that a shot, and post the results.

~Zach

wally1975 · ‎11-23-2004

Zach,

Thanks for the tip! It got me going in the right direction.

I started doing some testing with active vs. passive mode and this is what I found:

1) a passive mode ftp client works with all ftp servers that support passive mode connections

2) an active mode ftp client fails regardless of the 'ftp proxy active-mode' configuration.

So, since our CE is sitting outside of our NAT'ing firewall, I suspected our firewall is what was giving us grief, which I confirmed by exposing a client and testing. And, doing some research about the differences between active and passive modes, this kind of makes sense. However, what bothers me is that we can establish active mode ftp sessions just fine without the CE, so the firewall can handle that. Also, my understanding of the CE is that the ftp client establishes a FTP session with the CE's FTP server, and then the CE does its thing. So if the connection between the client and the CE is just like any other FTP session, does that mean the CE's FTP server can not handle NAT'ed sessions when in active mode, or is it that WCCP is causing a problem? Or am I missing a magic configuration setting? Keeping in mind that web-cache and passive FTP works fine through the CE, I suspect the problem is with the CE's implementation of the active mode FTP server.

Yes, I know the documentation says to put the CE inside the firewall, before NAT'ing, but in our situation, this is not an option.

Any thoughts?

Thanks,

Nathan

seilsz · ‎11-23-2004

There are basically two (2) ftp sessions involved:

Client <--> CE

CE <--> Origin ftp server (assuming a cache miss)

The CE shouldn't care about Active mode unless the Active IP address in the PORT command isn't being translated. I'm assuming that you have fixup configured on your firewall (you are using a PIX firewall, right :) ) for ftp?

Do you have access to the firewall logs? Can you look for denies from the CE with a source port of 20?

Can you take a sniffer trace between the firewall, CE, and wccp router?

~Zach