Notes about Passive FTP
Here is a packet capture of a working Passive FTP connection through the Proxy taken from the users workstation: Notice that the client initiates a data connection (packet 68) to the FTP server based on the ip address it gets in the 227 response (packet 65). In this case 10.131.36.211. We can see this in the details below as well.
Here is a similar PCAP showing a failed Passive FTP connection: Notice that in this example the Load Balancer has not changed the Passive IP address to that of itself. The client is attempting to establish a data connection directly with the Proxy and the connection is failing.
In order to get the connection to work we need to configure our load balancer to modify the 227 response. Here is the article explaining how to do so:
Pay special attention to the following section in the article:
Since this configuration is an example of FTP load balancing, the class reference also contains the “inspect ftp” command. It instructs the ACE to inspect the FTP control channel commands, and perform any necessary fixups to allow the data channel to establish properly. Without this command, FTP load balancing WILL NOT WORK!