One armed VIP and FTP

mjhagen · ‎05-07-2004

I have a need to use the one armed load balance for some servers. I have 4 contens setup using this and I have the four corresponding Groups setup. Two of the contents work fine they are using SSL. The other 2 fail and they are both using FTP. It looks like it is failing on the data channel connection because I can login to the server but cannot get any data. Is there a way to correct this.

Gilles Dufour · ‎05-07-2004

check the following URL:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093de6.shtml

it explains you need a source group for the ftp data connection.

Since you also need a group to nat client ip address, you have a problem since you can't do both at the same time.

The solution is to use ACL and the 'sourcegroup option'.

So you keep your group but you removed all the service attach inside it.

Then you create an ACL like this one

acl 1

clause 10 permit tcp any destination eq 21 sourgroup

apply circuit(VLAN-client)

acl2

clause 1o permit tcp destination any sourcegroup

apply circuit(vlan-server)

This should work.

If not, make sure to try both passive and active ftp to see if at least one works.

Gilles.

mjhagen · ‎05-07-2004

I have a question in regards to the acl's. Are they the same as a cisco acl in the explicit deny because I have many other servers and content rules on the same vlan of the css. Want to make sure I do not stop other traffic through the css.

Gilles Dufour · ‎05-07-2004

indeed, this is the same as IOS.

You need a clause 99 permit any any destination any at the end.

Another point is that as soon as you enable acl processing 'acl enable', there is a deny all on all circuits. So, even if you don't need an acl on a specific circuit, you will have to create one with permit any any.

Gilles.

mjhagen · ‎05-10-2004

I am using 4 circuit vlans on this css. So I would only need the any to any on the other 3 circuits and use the destination sourcegroup and the ant to any on the other circuit. One other thing I have read is that acl's are not supported on the Ethernet_Mgmt interface. I control the css over this interface will it not be affected.

Gilles Dufour · ‎05-10-2004

the ethernet management interface will not be affected.

Gilles.

mjhagen · ‎05-11-2004

I enabled acl's and tested ftp to the one-armed vip and it did not work. I get the same error on my client "502 Illegal Port". I tested both passive and active.

Also though my current ftp content and groups that are not one-armed failed with the acl's enabled.

I have attached a portion of the configuration pertaining to ftp if this helps.

I also do have SSL content and groups working with a one-armed vip.

e.quintana · ‎07-12-2004

Did you solve your problem ?

I have the same one with my CSS11501 and SCA11000.

If yes, is possible for you to send me the configuration.

Regards

Eduardo MET : equintana@met.wallonie.be

borislavpopov · ‎08-29-2012

Hi,

just wanted to ask if you might know, does the applying of the ACL have any impact over the production traffic going through the load balancer?

Thanks.