Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters

Irule passive ftp range data port

Hi Guys,

I'm very noob with F5 products, so, i wondering if you can help me with the following issue:

I have a VIP that needs to forward ftp traffic to a FTP pool with 4 ftp servers on it. These ftp servers has passive_ports configured between 30001-30020 and pasv_address with the F5 public ip.

so , after tried everything that i saw in the forums about the ftp passive, the only way that i found to have this working was the following:

  • Vip Type -> Performance ( layer 4 ) , service port " * ", Protocol TCP, profile " FastL4 "

I tried multiples combinations using the VIP with service port 21 and ftp profile with data port "0", also i tried using some irules that i found.

Somebody had this kind of situation ? can you share with me the specific config or irule needed to have this scenario working using VIP service port 21, standard type and ftp profile ?

Thanks in advance

Rate this Question
Comments on this Question
Comment made 07-Nov-2017 by Petak 71

Somebody had this issue before ?


Answers to this Question


Hi Petak. I think you are mixing things up here. Let me explain.

Regardless which FTP type you are using, the connection will happen between the client and the server. It is the client who requests the type of FTP. The server will just need to be compatible to the respective ftp mode.

Then you have the F5 which is really just a proxy - i.e. it would facilitate the connection between the client and the server; in your case, it will also load balance the requests.

Normally the Active FTP is the default - but that causes problems because the server will at some stage initiate a connection back to the cient. If the client is behind NAT (which is normally the case), you will have problems. Hence the use of Passive-FTP where all needed tcp connections are initiated by the client.

So ...

  1. With that said, is there a way to test your client-server passive ftp connection bypassing the F5? For instance, use a client on the same network with the servers sitting "behind" the F5. Does it work? If it doens't work without the F5, it won't work once you introduce the F5 either.

  2. Have you assigned the right profile the the VS (FTP profile) in this case?

  3. Also, what problems do you actually see? Does it never work? Does it work intermittently?

If my memory is not failing me, I believe I have previously setup FTP passive / active on F5 it was very straight forward. No iRules needed, no fancy configuration at all. One thing you will likely have to do is setup persistence - and that's about as fancy as you gonna get.

But I could be wrong ...

Comments on this Answer
Comment made 07-Nov-2017 by Petak 71

Hi @Gonzalex, first for all, thanks for answer me.

Our Ftp Servers have Pasv_ports defined, so the client receive the pasv_address and the port range that need to go via passive mode.

When I configured the VIP with the preffered configuration to FTP ( Ftp profile ) ( type: standard) (tcp profile ) ( translation auto-map ), the client received a RST ACK trying to do " quote pasv ". If I do the same bypassing the LB, the client receive the port range for passive and connect to the server without issues in pasv mode.

Reading some post about it in this forum, i tried with different combinations, but always with the same results.

So now i have this working with the following configuration

Vip-> Perfomance Layer4 , FastL4 profile, Auto-map, All services. or Vip-> Standard , Tcp profile

If i try to add Ftp profile ( default or with data port "0" ) or if i change the VIP service to FTP, i automatically receive RST ACK from the LB. ( I have also configured a Irule in the VIP that allows port ranges 20-21 & 30001-30020 )

Comment made 07-Nov-2017 by Gonzalex 243

Ok matey. Let me lab this stuff. I'll get back to you. I'm intrigued :)

Comment made 07-Nov-2017 by Petak 71

Thanks :) I'm using vsftpd to the ftp servers with this added configuration

anonymous_enabled=YES pasv_address="Your LB public ip" pasv_min_port=30009 pasv_max_port=30020 pasv_enable=YES

Really thank you ! i hope that you not waste much time helping me. :)

Comment made 07-Nov-2017 by Gonzalex 243

I'm helping myself too ;) It's a good one. Aaaaight ... on it. will take some time to set it up...

Comment made 07-Nov-2017 by Gonzalex 243

just so i replicate like for like. Have you got the local firewall enabled or disabled?

Comment made 07-Nov-2017 by Petak 71

Ftp instances no firewall, just iptables permitting those ports

Comment made 07-Nov-2017 by Gonzalex 243

Ok matey ... got this guy sorted! But you were right. There is something very fishy going on that even the Internet community seems to be fairly clueless about. I'd like to keep myself humble here - I found this solution by pure luck!!!

Initially, I was bumping into a lot of articles about bugs on the F5 itself, particularly dealing with passive FTP. But when checking the version those bugs would apply to, I could't match the code version i'm running - v11.6

Done also quite a few tcpdumps ... surely it was showing me the error but I failed to see it ... maybe I am tired of it LOL.

Luckily, after some configuration changes I noticed the following message: "227 Entering passive Mode (0,0,0,0,129,119)" - I knew that instead of, I was suppose to have the IP address of the server. This gave me new ideas...

I then tested the ftp connection from the f5 itself directly to the backend server. Was getting the same message! At this point, I knew it was an issue with vsftpd!


Edit the vsftpd.conf file and remove the pasv_address command. This fixed the problem for me.

My VS looks like this:

ltm virtual vs_ftp { destination ip-protocol tcp mask pool pool_ftp profiles { ftp { } tcp { } } source source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 4 }

VSFTPD is running on CentOS - i've disabled firewalld as well using systemctl stop firewalld command. I don't have iptables running either.

So what can I say ... I hope this fixes the problem for you too.

Let me know! I'm dying to know!

Comment made 07-Nov-2017 by Gonzalex 243

Now ... if it doesn't work, try the following too; i didn't get to try these but I found these suggestions on other sites:

/etc/hosts.allow - add the line "vsftdp : ALL"

then reboot just to make sure.

Comment made 07-Nov-2017 by Petak 71

Hi @Gonzalex , sorry for the delay, I was doing other stuff and i didn't check the email notification, sorry about that.

I replicated the exactly configuration that you posted and also i deleted the " pasv_address " on the ftp servers. The connection work as normal, but when you request enter into passive mode " quote pasv " ( via terminal ) or using a client like " FileZilla " , the connection die in my lab.

Here is my config:

ltm virtual TEST2-VS { destination ip-protocol tcp mask pool TEST2-pool profiles { ftp { } tcp { } } source source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 3 }

I edited the file Host.allow too, but the result was the same.

Shall we find the solution or not, I would like to thank you for spending your time to help me

I will be here continue working on this and other issues that i have with this product hahaha :)

Comment made 08-Nov-2017 by Gonzalex 243

Hi Petak. When you say the connection dies, what do you mean? Are you getting different results than before? No more errors? Is it just the session that hangs? What version of code are you running?

Few more suggestions:

  1. Upgrade the F5 - In my research, I did find a lot of other people having problems with Passive-FTP due to how translations are done or even due to the F5 not passing the correct PASV ftp string back to the client. For those people, the prob was fixed by an upgrade

  2. My setup includes a one server pool only; try use one server as well ... just to rule out LB algorithms, persistency and things like that

  3. Try another ftp server - don't just exclude the possibility of vsftpd being broken. Lots of people having Passive FTP probs with vsftpd

Other than that, I'm out of ideas. :(

Comment made 08-Nov-2017 by Petak 71

Good morning @Gonzalex , how are you ?

I mean , the session hangs.

1 - Im using F5 Version on AWS. ( Better 200mbps ) 2- I tested it with only one VIP -> one pool -> one ftp server 3- I was thinking in use another one, but , if i try it without the F5 all work as expected.

about your LAB, you can " pasv " or " quote pasv " without issues ?

Comment made 08-Nov-2017 by Gonzalex 243

erm ... sorry. no idea what "quote pasv" is ...

Comment made 08-Nov-2017 by Petak 71

no worries, if you run a ftp connection from D.O.S and you need to change your mode to Passive, you can run " quote pasv " command. If you run a linux terminal, you can change to passive using " PASV " command.... etc

If you use a Ftp client like Filezilla, force from settings passive mode, and change de DEBUG option to " 4 " to check if the client really are using PASsive.

Comment made 08-Nov-2017 by Gonzalex 243

By default, my client runs in passive mode; i'm using the built-in CentOS fto client at the command line. Furthermore, if I do run the passive command, I get a message stating that passive mode has been switched off; if I run it again, I get a message that passive mode is switched back on.

Hope that answers your question.

I've been thinking about this problem of yours again ... what really is confusing to me is when you said that the connection hangs. The kind of problems I was getting were literally error messages ... either disconnections, or showing the wrong passive string, etc. But never once the connection hanged.

On the other side, you say that if you bypass F5, it works.

of course ... I agree we can easily conclude that it must be the F5. However, dont' forget about translations. It could be an issue with vsftpd not handling translations properly! I've seen issues with that on Internet forums.

What I'm saying is this: Try a different ftp server. Maybe update the vsftdp version if need be. Also, if you enable vsftpd logging, what do you see in the logs? I haven't actually done that during my tshoot session. Passive mode is only triggered once you issue an ftp command ... say a "ls" or "put", etc. Regardless which mode you are running on, you should definitely be able to connect to the server !!

Comment made 08-Nov-2017 by Petak 71

Hi @gonzalex ,

As I always say you, thanks ! I will try with another FTP server or vsftpd version and i will come back to you and share the results. But not today , my brain request me to rest. haahah

I will keep you posted tomorrow.

Thanks again :)

Comment made 1 month ago by popica 161

Hi Guys, Any "luck" / solution with this? :)

I guess the question is if we use AutoMap (SNAT) on the F5 can F5 support both FTP active & passive mode on the same VIP?

Please note that if we do not use AutoMap, both ACTIVE & PASSIVE work with fastL4 profile since the return traffic is not forced back through the F5.

Question is how we can make active & passive mode to coexist using the same VIP? I want to avoid to build 2 VIPs with 2 different IPs (one for passive mode clients & other for active mode) & still use AutoMap?

I was wondering if there's a iRule or other way for F5 to read the client/server mode (active or passive) & based on that to redirect connection to use AutoMap VIP?

Please advise.