FTP is a peer to peer kind of protocol in which Client establish direct connection with Server to communicate commands and data transfer between them. The overall process of communication is achieved by establishing two connections between client and server namely, control channel and data channel. Control channel is the connection initiated by the client to server and this connection is used to communicate control signals like commands, credentials and signals. The Data channel is another connection established between client and Server. Based on who initiate this data channel will decide the mode of operation of FTP. If the Data channel connection is initiated by Server then it’s called Active mode of FTP and if the Data channel connection is initiated by client, it’s called Passive mode.
When using Cisco Application Control Engine (ACE) for FTP loadbalancing, we need to enable FTP Inspect on policy to have a successful Load balancing operation on the traffic flow. This is required because, FTP protocol is designed such a way that before opening a data-channel between client and server, the server specifies which port it will use to listen/Send data to the client through control-channel. The ACE, in term to open a path for this data-channel traffic automatically through itself, needs to monitor the control-channel. This is done only when FTP inspect is enabled. When FTP inspect is enabled on ACE, all FTP connections targeted through ACE-virtual IP between client and Servers will get proxies on ACE.
ACE in HA for FTP
When ACE is deployed in HA pair and FTP inspect is enabled on ACE, all the FTP connection established through ACTIVE-ACE will not get synched to STANDBY-ACE. This is because when FTP inspect is enabled, FTP connection gets proxied and proxied connections are not synched to STANDBY- ACE. So whenever there is a failure between ACTIVE-ACE to STANDBY-ACE, the existing connection on ACTIVE-ACE will get broken and Client needs to establish new connection to complete the transactions.
One of the solution for this FT issue can be solved by configuring ACE in Direct Server Return mode(DSR) along with disabling TCP normalization on ACE. When ACE is deployed in DSR mode, Client will send request to ACE-Virtual IP address. ACE will perform loadbalancing and forward client request to specific server. Now Server will directly respond to Client request bypassing ACE. To make sure client accepts this direct response from server, we need to make sure that Server responds with the same IP address on which client sent its request. We also need to disable TCP normalization on client side interface on ACE. Make sure proper routes have been added on the server, so that response is reaching client directly without going through ACE. To summaries the above said and config guide links accordingly.
Putting the ACE VIP and FTP Servers in the same VLAN.
Adding the VIP to the loopback address on server with no ARP.
Possibly making FTP server changes to force it to use the VIP
Note: Last three steps are not required If your client is sending FTP request directly on Server IP address and ACE-Virtual IP address is configured to listen on any IP. Make sure not to configure NAT/PAT on ACE.
This may be the wrong place to post this question but I'm having a weird issue accessing the APIC GUI from my home internet. When on my ISPs service, I cannot access the GUI of any of my companies APICs. I can only ping the APIC IP with a max MTU size of ...
Hello Team,We are having ACI Fabric with 2 Spine switches and 4 leaf switches connected to 3 APIC. Now out of 4 leaf switches, 1 chassis has hardware issue and want to replace the same. I am looking for the steps to replace the leaf switch in the ACI Fabr...
Hi,We are installing two differents fabric (integration and production) and to avoid any configuration mistakes, we would like to customize the header background image for the Front Page of APIC.One idea that comes to my mind is to modify css file from in...
Hi Guys,I'm trying to figure out how to redirect specific BD to a specific l3out. Let's try to be more clear through an exemple :I have 2 L3out :- L3out_core (where the default route is currently pointing to) - L3out_firewall All traffic is...
Managing a 10.4.2 DCNM server with radius/tacac user authentication enabled, so no local accounts. I have a user whenever he logs in his profile seems corrupt, GUI interface shows garbled text and topology is not functioning correctly. All oth...