Passive FTP doesn't work when I have a Cisco ACE load balancer between the client and the Proxy

book

Article ID: 166757

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Notes about Passive FTP

  1. Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection.
  2. Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.

Here is a packet capture of a working Passive FTP connection through the Proxy taken from the users workstation:  Notice that the client initiates a data connection (packet 68) to the FTP server based on the ip address it gets in the 227 response (packet 65).  In this case 10.131.36.211.  We can see this in the details below as well.

Here is a similar PCAP showing a failed Passive FTP connection:  Notice that in this example the Load Balancer has not changed the Passive IP address to that of itself.  The client is attempting to establish a data connection directly with the Proxy and the connection is failing.

In order to get the connection to work we need to configure our load balancer to modify the 227 response.  Here is the article explaining how to do so:

FTP Load Balancing on ACE in Routed Mode Configuration Example

Pay special attention to the following section in the article:

Since this configuration is an example of FTP load balancing, the class reference also contains the “inspect ftp” command. It instructs the ACE to inspect the FTP control channel commands, and perform any necessary fixups to allow the data channel to establish properly. Without this command, FTP load balancing WILL NOT WORK!

Attachments