Showing results for 
Search instead for 
Did you mean: 

ACE in HA Mode for FTP Traffic Loadbalancing



FTP is a peer to peer kind of protocol in which Client establish direct connection with Server to communicate commands and data transfer between them. The overall process of communication is achieved by establishing two connections between client and server namely, control channel and data channel. Control channel is the connection initiated by the client to server and this connection is used to communicate control signals like commands, credentials and signals. The Data channel is another connection established between client and Server. Based on who initiate this data channel will decide the mode of operation of FTP. If the Data channel connection is initiated by Server then it’s called Active mode of FTP and if the Data channel connection is initiated by client, it’s called Passive mode.

When using Cisco Application Control Engine (ACE) for FTP loadbalancing, we need to enable FTP Inspect on policy to have a successful Load balancing operation on the traffic flow. This is required because, FTP protocol is designed such a way that before opening a data-channel between client and server, the server specifies which port it will use to listen/Send data to the client through control-channel. The ACE, in term to open a path for this data-channel traffic automatically through itself, needs to monitor the control-channel. This is done only when FTP inspect is enabled. When FTP inspect is enabled on ACE, all FTP connections targeted through ACE-virtual IP between client and Servers will get proxies on ACE.

ACE in HA for FTP

When ACE is deployed in HA pair and FTP inspect is enabled on ACE, all the FTP connection established through ACTIVE-ACE will not get synched to STANDBY-ACE. This is because when FTP inspect is enabled, FTP connection gets proxied and proxied connections are not synched to STANDBY- ACE. So whenever there is a failure between ACTIVE-ACE to STANDBY-ACE, the existing connection on ACTIVE-ACE will get broken and Client needs to establish new connection to complete the transactions.

One of the solution for this FT issue can be solved by configuring ACE in Direct Server Return mode(DSR) along with disabling TCP normalization on ACE. When ACE is deployed in DSR mode, Client will send request to ACE-Virtual IP address. ACE will perform loadbalancing and forward client request to specific server. Now Server will directly respond to Client request bypassing ACE. To make sure client accepts this direct response from server, we need to make sure that Server responds with the same IP address on which client sent its request. We also need to disable TCP normalization on client side interface on ACE. Make sure proper routes have been added on the server, so that response is reaching client directly without going through ACE. To summaries the above said and config guide links accordingly.

  1. Disabling TCP normalization on ACE.
  2. Configure Either Predictor IP Hash on Serverfarm or configure IP sticky. For Sticky config:Predictor IP Hash:
  3. Configure the serverfarm in transparent mode or no Destination Nating.
  4. Putting the ACE VIP and FTP Servers in the same VLAN.
  5. Adding the VIP to the loopback address on server with no ARP.
  6. Possibly making FTP server changes to force it to use the VIP

Note: Last three steps are not required If your client is sending FTP request directly on Server IP address and ACE-Virtual IP address is configured to listen on any IP. Make sure not to configure NAT/PAT on ACE.

Content for Community-Ad