Forum Discussion
F5 unit is deny default unit (there are exceptions like AFM, anyway...), means you need to have a listener to handle the traffic and then open the server side connection if configured for that.
SNAT is listener, but you first need to make sure that is the SNAT that is handling the connection and not another listener. You can take the tcpdump with extra information, and you will be able to see which listener is handling the connection.
Information about that:
https://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html
https://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html
https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html
If you just want the solution :P, here is the bug you are probably facing:
https://support.f5.com/kb/en-us/solutions/public/k/33/sol33645643.html
There is no workaround in the solution, but it does says that does not affect a virtual server with SNAT. So, just use a virtual server with SNAT pool and FTP profile.
- Ed_SummersNov 04, 2016Nimbostratus
F5 Support confirmed it is the bug addressed by the solution article you mentioned. Affects 12.1.0 - 12.1.1. We actually found this SOL article prior to contacting support, but the language used in the article (the active language "configured the BIG-IP system to process FTP control channel connections using only a SNAT object") made me want to research further.
Accepting your answer - you win the cookie today.
- Leonardo_Souza3Nov 07, 2016Nimbostratus
lol cookie accepted.