Hi Guys, I'm very noob with F5 products, so, i wondering if you can help me with the following issue: I have a VIP that needs to forward ftp traffic to a FTP pool with 4 ftp servers on it. These ftp servers has passive_ports configured between 30001-30020 and pasv_address with the F5 public ip. so , after tried everything that i saw in the forums about the ftp passive, the only way that i found to have this working was the following: Vip Type -> Performance ( layer 4 ) , service port " * ", Protocol TCP, profile " FastL4 " I tried multiples combinations using the VIP with service port 21 and ftp profile with data port "0", also i tried using some irules that i found. Somebody had this kind of situation ? can you share with me the specific config or irule needed to have this scenario working using VIP service port 21, standard type and ftp profile ? Thanks in advance

Somebody had this issue before ?

Hi Petak. I think you are mixing things up here. Let me explain. Regardless which FTP type you are using, the connection will happen between the client and the server. It is the client who requests the type of FTP. The server will just need to be compatible to the respective ftp mode. Then you have the F5 which is really just a proxy - i.e. it would facilitate the connection between the client and the server; in your case, it will also load balance the requests. Normally the Active FTP is the default - but that causes problems because the server will at some stage initiate a connection back to the cient. If the client is behind NAT (which is normally the case), you will have problems. Hence the use of Passive-FTP where all needed tcp connections are initiated by the client. So ... With that said, is there a way to test your client-server passive ftp connection bypassing the F5? For instance, use a client on the same network with the servers sitting "behind" the F5. Does it work? If it doens't work without the F5, it won't work once you introduce the F5 either. Have you assigned the right profile the the VS (FTP profile) in this case? Also, what problems do you actually see? Does it never work? Does it work intermittently? If my memory is not failing me, I believe I have previously setup FTP passive / active on F5 it was very straight forward. No iRules needed, no fancy configuration at all. One thing you will likely have to do is setup persistence - and that's about as fancy as you gonna get. But I could be wrong ...

Hi @Gonzalex, first for all, thanks for answer me. Our Ftp Servers have Pasv_ports defined, so the client receive the pasv_address and the port range that need to go via passive mode. When I configured the VIP with the preffered configuration to FTP ( Ftp profile ) ( type: standard) (tcp profile ) ( translation auto-map ), the client received a RST ACK trying to do " quote pasv ". If I do the same bypassing the LB, the client receive the port range for passive and connect to the server without issues in pasv mode. Reading some post about it in this forum, i tried with different combinations, but always with the same results. So now i have this working with the following configuration Vip-> Perfomance Layer4 , FastL4 profile, Auto-map, All services. or Vip-> Standard , Tcp profile If i try to add Ftp profile ( default or with data port "0" ) or if i change the VIP service to FTP, i automatically receive RST ACK from the LB. ( I have also configured a Irule in the VIP that allows port ranges 20-21 & 30001-30020 )

Ok matey. Let me lab this stuff. I'll get back to you. I'm intrigued :)

Thanks :) I'm using vsftpd to the ftp servers with this added configuration anonymous_enabled=YES pasv_address="Your LB public ip" pasv_min_port=30009 pasv_max_port=30020 pasv_enable=YES Really thank you ! i hope that you not waste much time helping me. :)

Irule passive ftp range data port

18 Replies

Petak_333163
Nimbostratus
Nov 07, 2017
Somebody had this issue before ?
Gonzalex_330537
Cirrostratus
Nov 07, 2017
Hi Petak. I think you are mixing things up here. Let me explain.

Regardless which FTP type you are using, the connection will happen between the client and the server. It is the client who requests the type of FTP. The server will just need to be compatible to the respective ftp mode.

Then you have the F5 which is really just a proxy - i.e. it would facilitate the connection between the client and the server; in your case, it will also load balance the requests.

Normally the Active FTP is the default - but that causes problems because the server will at some stage initiate a connection back to the cient. If the client is behind NAT (which is normally the case), you will have problems. Hence the use of Passive-FTP where all needed tcp connections are initiated by the client.

So ...

With that said, is there a way to test your client-server passive ftp connection bypassing the F5? For instance, use a client on the same network with the servers sitting "behind" the F5. Does it work? If it doens't work without the F5, it won't work once you introduce the F5 either.

Have you assigned the right profile the the VS (FTP profile) in this case?

Also, what problems do you actually see? Does it never work? Does it work intermittently?

If my memory is not failing me, I believe I have previously setup FTP passive / active on F5 it was very straight forward. No iRules needed, no fancy configuration at all. One thing you will likely have to do is setup persistence - and that's about as fancy as you gonna get.

But I could be wrong ...
- Petak_333163
  Nimbostratus
  Nov 07, 2017
  Hi @Gonzalex, first for all, thanks for answer me.
  
  Our Ftp Servers have Pasv_ports defined, so the client receive the pasv_address and the port range that need to go via passive mode.
  
  When I configured the VIP with the preffered configuration to FTP ( Ftp profile ) ( type: standard) (tcp profile ) ( translation auto-map ), the client received a RST ACK trying to do " quote pasv ". If I do the same bypassing the LB, the client receive the port range for passive and connect to the server without issues in pasv mode.
  
  Reading some post about it in this forum, i tried with different combinations, but always with the same results.
  
  So now i have this working with the following configuration
  
  Vip-> Perfomance Layer4 , FastL4 profile, Auto-map, All services. or Vip-> Standard , Tcp profile
  
  If i try to add Ftp profile ( default or with data port "0" ) or if i change the VIP service to FTP, i automatically receive RST ACK from the LB. ( I have also configured a Irule in the VIP that allows port ranges 20-21 & 30001-30020 )
- Gonzalex_330537
  Cirrostratus
  Nov 07, 2017
  Ok matey. Let me lab this stuff. I'll get back to you. I'm intrigued :)
- Petak_333163
  Nimbostratus
  Nov 07, 2017
  Thanks :) I'm using vsftpd to the ftp servers with this added configuration
  
  anonymous_enabled=YES pasv_address="Your LB public ip" pasv_min_port=30009 pasv_max_port=30020 pasv_enable=YES
  
  Really thank you ! i hope that you not waste much time helping me. :)

Forum Discussion

Irule passive ftp range data port

18 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Assistance with iRule using port ranges

iRule [string range...] not chunking data properly

Policy to forward to a range of ports

Especial Load Balancing Active-Passive Scenario (II)

SSL Offloading for specific IPs or range of IPs