FTPS load balancing

See this article.

http://support.f5.com/kb/en-us/solutions/public/9000/300/sol9347.html

I think you need to use a FastL4 virtual listening on all ports, and there are also some implications with addressing as the LTM cannot rewrite the encrypted packets to modify the addresses within. The FTPS server needs to think it has the IP address of the virtual server.

Hi Mimlo,

Thanks for your reply . Will check it out .

Hello look at below link, i thought it is helpful for you http://support.f5.com/kb/en-us/solutions/public/9000/300/sol9347.html

hi All ,

But i am not understanding my the LTM is taking time to send the response and also if client increases timeout it doesn't matter .

Also can you someone explain why is VIP Ip is needed to be configured on loop back .

FTPS, like FTP, has 2 connections. One is the control, the other is the data. You initially connect over the control, and then when you need to transfer data(which includes everything from transferring files to listing directories), the control channel negotiates the parameters for the data channel. In that control packet, is the IP address of the server. In other words, it doesn't just connect to the same IP the control connected to, it actually connects to the IP address and port in the packet. With FTP aware devices like a firewall or LTM with FTP profile, the device rewrites the control packet to replace the IP address with the proper internal addresses to make everyone happy. Being that this is FTPS and the LTM cannot decrypt the control packet and make changes to it, the backend server needs to believe it has the VIP address to create a proper control packet that the client can connect to.

I believe this is only the case with Passive connections. With Active mode, the IP address of the client is in the control packet, thus probably making a SNAT setup break.

Hi Mimlo,

Thanks for the explanation. So when the server replies will it bypass the LTM or it will just add the VIP IP and port to the control packet and send it to the VIP . 

Also existing set up is like this :

inserted packet capture between Vip source and pool memeber destiantion.


 ![Image Text](/Portals/0/Users/056/68/128568/viptoserver.JPG)
virtual abd_21 {
   pool abd_21
   destination 1.2.3.4:21
   ip protocol 6
   rules SNAT2VIP
   profiles {
      ftp {}
      tcp {}
   }
}
virtual abd_443 {
   pool abd_443
   destination 1.2.3.4:443
   ip protocol 6
   rules SNAT2VIP
   persist src_ip_1800
   profiles fastL4 {}
}

Because of the SNAT, the traffic will be returned through the LTM. The purpose of the loopback/masquerade address is just to put the VIP in the packet so the client at the far end gets the correct IP to conenct to.