FTP LB on IPv6 address does not work
search cancel

FTP LB on IPv6 address does not work

book

Article ID: 327329

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

This article is to explain the limitation of Edge LB.
Currently Edge LB doesn't support FTP over IPv6.

Symptoms:
FTP LB configured with IPv6 address does not work.
It only works if it is configured with IPv4 address.

Cause

  • Architecture of FTP
FTP establishes 2 TCP connections, one for control connection and one for data connection.
First control connection is established. It is established from client to server, usually to 21 port.
Then data connection is established using another port which is decided by PASV command or PORT command.
In passive FTP, the client issues PASV command and the server responds with its IP address / port. The client establishes the data connection accordingly.
In active FTP, the client issues PORT comannd to specify the IP address / port and the server establishes the data connection accordingly.
Files are transferred on the data connection.
  • FTP ALG
LB must understand PASV and PORT commands and handle the data connection properly.
This feature is called FTP ALG.
For example, LB must do the following to handle passive FTP.

1. Catch the response to PASV command.

2. Replace the IP address / port in the response.
It is originally the IP address / port of the backend server, but LB replaces it with its own IP address / port so that clients can establish the data connection to the VIP of LB.
 
3. Apply dynamic NAT rules to forward the data connection to the appropriate backend server / port as the control connection.

Edge LB utilizes IPVS to support FTP ALG.
IPVS is a load balancer that is built in Linux kernel.
  • FTP over IPv6
If FTP is over IPv6, FTP uses extended commands defined in RFC 2428, EPSV and EPRT, instead of PASV and PORT commands.
They are required for FTP to support IPv6 addresses because PASV and PORT commands support only IPv4 addresses.
  • Support for FTP over IPv6
Currently Linux kernel of NSX Edge does not recognize the extended commands and FTP ALG can not be applied.
As a result, NSX Edge does not support load balancing of FTP over IPv6.

Resolution

Currently there is no resolution.

Workaround:
  • Workaround for passive FTP.
First configure the backend servers so that it returns the VIP in the response to EPSV command.
Thus Edge LB doesn't need to understand the response and replace the IP address in it.

Also make sure each server uses unique ports for data connection.
Then configure NAT rules on NSX Edge to forward connections to the ports to the appropriate backend servers.
Thus Edge LB doesn't need to replace the port in the response.
By the static NAT rules, data connections are forwarded to the same backend servers as the control connection.
  • Workaround for active FTP.
There is no workaround for active FTP.

Powered by Wolken Software