Ftp Active and Passive

Question

Hi all,&nbsp;
I have an F5 LB working for passive FTP connections. This was configured with a VIP tcp profile and some Irules. Now i need to have both Ftp modes working ( active and passive ). 
So, i'm wondering if this is possible and how needs to be done, because in the past using a VIP with FTp profile didn't work for passive ftp connections.&nbsp;
I hope that someone have the same scenario.&nbsp;
Thanks in Advance&nbsp;

petak_333163 · Answer

Adding more information about this issue.
If I configured the VIP to work with passive mode and i try to do a Active ftp connections , the ftp-server shows me the error " 500 Ilegal PORT Command " trying to send Data port to source public ip address. 
And when i configured the VIP to work with Active ftp mode, the ftp-server logs show me the data port going to the private VIP ip address.
Example:
VIP working in passive MODE - Trying a Active Ftp connection
ftp]OKLOGN:Clent"",anonasswor"anonymous"

[][ft]FTresonse:Client"10.10.10.1","0Lognsuccessful."
[][ft]FTcomman:Client"10.10.10.1","FEAT"
[][ft]FTresonse:Client"10.10.10.1","-Features:"
[][ft]FTresonse:Client"10.10.10.1","ERT??"
[][ft]FTresonse:Client"10.10.10.1","ESV??"
[][ft]FTresonse:Client"10.10.10.1","MTM??"
[][ft]FTresonse:Client"10.10.10.1","ASV??"
[][ft]FTresonse:Client"10.10.10.1","RESTSTREAM??"
[][ft]FTresonse:Client"10.10.10.1","SZE??"
[][ft]FTresonse:Client"10.10.10.1","TVFS??"
[][ft]FTresonse:Client"10.10.10.1","UTF8??"
[][ft]FTresonse:Client"10.10.10.1","En"
[][ft]FTcomman:Client"10.10.10.1","W"
[][ft]FTresonse:Client"10.10.10.1","57"/""
[][ft]FTcomman:Client"10.10.10.1","NOO"
[][ft]FTresonse:Client"10.10.10.1","00NOOok."
[][ft]FTcomman:Client"10.10.10.1","CW/"
[][ft]FTresonse:Client"10.10.10.1","50rectorysuccessfullychange."
[][ft]FTcomman:Client"10.10.10.1","FEAT"
[][ft]FTresonse:Client"10.10.10.1","-Features:"
[][ft]FTresonse:Client"10.10.10.1","ERT??"
[][ft]FTresonse:Client"10.10.10.1","ESV??"
[][ft]FTresonse:Client"10.10.10.1","MTM??"
[][ft]FTresonse:Client"10.10.10.1","ASV??"
[][ft]FTresonse:Client"10.10.10.1","RESTSTREAM??"
[][ft]FTresonse:Client"10.10.10.1","SZE??"
[][ft]FTresonse:Client"10.10.10.1","TVFS??"
[][ft]FTresonse:Client"10.10.10.1","UTF8??"
[][ft]FTresonse:Client"10.10.10.1","En"
[][ft]FTcomman:Client"10.10.10.1","SYST"
[][ft]FTresonse:Client"10.10.10.1","5UNXTye:L8"
[][ft]FTcomman:Client"10.10.10.1","ORT9,xxx,xxx,xxx,,9"  &lt;--- CLIENT PUBLIC IP ADDRESS
[][ft]FTresonse:Client"10.10.10.1","500llegalORTcomman."
10.10.10.1 &lt;--- VIP internal ip
VIP working in Active MODE - Trying a Active Ftp connection
 [pid 3184] [ftp] FTP command: Client "10.10.10.1", "FEAT"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "211-Features:"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " EPRT??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " EPSV??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " MDTM??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " PASV??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " REST STREAM??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " SIZE??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " TVFS??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " UTF8??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "211 End"
[pid 3184] [ftp] FTP command: Client "10.10.10.1", "PWD"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "257 "/""
[pid 3184] [ftp] FTP command: Client "10.10.10.1", "NOOP"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "200 NOOP ok."
[pid 3184] [ftp] FTP command: Client "10.10.10.1", "CWD /"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "250 Directory successfully changed."
[pid 3184] [ftp] FTP command: Client "10.10.10.1", "FEAT"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "211-Features:"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " EPRT??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " EPSV??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " MDTM??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " PASV??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " REST STREAM??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " SIZE??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " TVFS??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", " UTF8??"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "211 End"
[pid 3184] [ftp] FTP command: Client "10.10.10.1", "SYST"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "2 UNIX Type: L8"
[pid 3184] [ftp] FTP command: Client "10.10.10.1", "PORT 10.10.10.1,140,117"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "200 PORT command successful. Consider using PASV."
[pid 3184] [ftp] FTP command: Client "10.10.10.1", "LIST"
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "0 Here comes the directory listing."
[pid 3184] [ftp] FTP response: Client "10.10.10.1", "226 Directory send OK."

Finally, if I configure the VIP to work in Active Mode, passive mode recieved a Reset in the connection.
IP 10.10.10.1 &gt; xxx.xx.xx.xx.40021: Flags [R.], seq 331, ack 75, win 0, length 0 out slot1/tmm0 lis=/Common/passive

petak_333163 · Answer

Good morning guys, do you have any ideas ?&nbsp;

popica · Answer

any progress on this? thanks&nbsp;

petak_333163 · Answer

Hi Constantinliviupop,&nbsp;
I've been forced to use only one mode " passive or active " , because I can't have this working with both modes. Only works if I use more of one vip to handle the ftp modes separately.&nbsp;
Also i contacted F5 support and they gave me some documentation to see and apply, but using it not work either.&nbsp;
So Finally , I configured everything to work only with passive.&nbsp;

acniv_304645 · Answer

If you have another IP to use for SNAT, you could setup an incoming VIP using a SNAT and an outgoing VIP using the incoming SNAT address using the incoming VIP as its SNAT. Both VIPs would be setup as listening on ANY since you won’t know what port the passive client will use for the data connection and you won’t know which port the server will send to on the active connection. Basically you would be forwarding all ports hitting your incoming VIP to the ftp pool, the trick is listening for the new session the server creates in active ftp, which the outbound vip would forward all ports hitting the outbound vip SnAT’d back to the incoming VIP address. Not pretty but it should work. If your handy with irules, you may be able to snoop the TCP stream and lock the traffic down by client address, server address or both and drop all others as an added layer of security.&nbsp;
My .02 cents anyway...&nbsp;

Forum Discussion

Ftp Active and Passive

5 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Especial Load Balancing Active-Passive Scenario (I)

Especial Load Balancing Active-Passive Scenario (II)

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Problem FTPS passive

Passive FTP using FTP profile