Can an FTP vip maintain the server FTP port?

Question

version 11.2.1&nbsp;
I created an FTP VIP and loadbalance to 2 FTP servers that use priority groups.  The servers use Passive FTP and the problem I have is when the servers send the PASV command the F5 is translating the port.  We only allow clients to connect to this VIP on port 4000-4100 and the F5 is translating this to a disallowed port.&nbsp;
I could not find any FTP iRule events or profile setting that I could use to change this.&nbsp;

t-roy · Answer

Hopefully save someone else some time-&nbsp;
I was able to get this working by creating an FTP virtual server that listens on all ports (with NO ftp profile)  with a forwarding virtual server on the serverside vlan.&nbsp;
A stream profile translates the server's IP address in the pasv command to the VIP IP, an iRule on the forwarding virtual SNATs when CLIENT_ACCEPTED to the IP of the VIP as well.&nbsp;

matt_pitts_6390 · Answer

Thank you for the update. I'm running into a similar situation and was wondering if you could share the irule you created to perform the logic of the FTP profile?&nbsp;

martin_58375 · Answer

any update on it ?

nitass · Answer

not sure if this is similar to what t-roy uses. anyway, this is what i tested here. 
  
 client is 172.28.20.17 
 ftp virtual server is 172.28.20.111 
 ftp server is 200.200.200.101 
  
 i use 1 virtual server for control channel and 2 virtual servers for data channel; one is on external vlan and the other one is on internal vlan. there are 2 virtual servers because i do not want to have connection entry for data channel traffic (i.e. i do not have to worry whether control channel is timeout or not). 
  
  ftp control channel

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual ftpctl
ltm virtual ftpctl {
    destination 172.28.20.111:21
    ip-protocol tcp
    mask 255.255.255.255
    pool ftpp
    profiles {
        mystream { }
        tcp { }
    }
    source 0.0.0.0/0
    translate-port disabled
    vs-index 11
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile stream mystream
ltm profile stream mystream {
    app-service none
    defaults-from stream
    source 200,200,200,101,
    target 172,28,20,111,
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool ftpp
ltm pool ftpp {
    members {
        200.200.200.101:0 {
            address 200.200.200.101
        }
    }
}

ftp data channel

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual ftpdta-ext
ltm virtual ftpdta-ext {
    destination 172.28.20.111:0
    ip-protocol tcp
    mask 255.255.255.255
    pool ftpp
    profiles {
        fastl4_0s { }
    }
    source 0.0.0.0/0
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 19
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual ftpdta-int
ltm virtual ftpdta-int {
    destination 172.28.20.17:0
    ip-forward
    mask 255.255.255.255
    profiles {
        fastl4_0s { }
    }
    source 0.0.0.0/0
    source-address-translation {
        pool ftpvip
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 20
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_0s
ltm profile fastl4 fastl4_0s {
    app-service none
    defaults-from fastL4
    idle-timeout immediate
    loose-close disabled
    loose-initialization enabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm snatpool ftpvip
ltm snatpool ftpvip {
    members {
        172.28.20.111
    }
}

test

[root@centos17 ~] ftp 172.28.20.111
Connected to 172.28.20.111.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.28.20.111:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; ls -l
227 Entering Passive Mode (172,28,20,111,252,78)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Apr 06  2012 pub
226 Directory send OK.
ftp&gt; cd pub
250 Directory successfully changed.
ftp&gt; ls -l
227 Entering Passive Mode (172,28,20,111,52,97)
150 Here comes the directory listing.
-rw-r--r--    1 0        0        1012865024 Apr 06  2012 BIGIP-11.1.0.1943.0.iso
226 Directory send OK.
ftp&gt; bye
221 Goodbye.

packet trace

[root@ve11a:Active:Changes Pending] config  tcpdump -nni 0.0 -s0 host 172.28.20.111 or host 200.200.200.101 and 'tcp[13] &amp; 2 = 2' and not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes

----- control channel -----
13:22:18.431240 IP 172.28.20.17.40360 &gt; 172.28.20.111.21: S 982826903:982826903(0) win 5840  in slot1/tmm1 lis=
13:22:18.431297 IP 172.28.20.111.21 &gt; 172.28.20.17.40360: S 2048968823:2048968823(0) ack 982826904 win 4380  out slot1/tmm1 lis=/Common/ftpctl
13:22:18.433182 IP 172.28.20.17.40360 &gt; 200.200.200.101.21: S 3266297137:3266297137(0) win 4380  out slot1/tmm1 lis=/Common/ftpctl
13:22:18.435030 IP 200.200.200.101.21 &gt; 172.28.20.17.40360: S 4036093744:4036093744(0) ack 3266297138 win 5792  in slot1/tmm1 lis=/Common/ftpctl

----- data channel -----
13:22:24.974061 IP 172.28.20.17.58245 &gt; 172.28.20.111.64590: S 417456275:417456275(0) win 5840  in slot1/tmm1 lis=
13:22:24.974111 IP 172.28.20.17.58245 &gt; 200.200.200.101.64590: S 417456275:417456275(0) win 5840  out slot1/tmm1 lis=/Common/ftpdta-ext
13:22:24.975995 IP 200.200.200.101.64590 &gt; 172.28.20.17.58245: S 2840256948:2840256948(0) ack 417456276 win 5792  in slot1/tmm1 lis=
13:22:24.976024 IP 172.28.20.111.64590 &gt; 172.28.20.17.58245: S 2840256948:2840256948(0) ack 417456276 win 5792  out slot1/tmm1 lis=/Common/ftpdta-int
13:22:28.462043 IP 172.28.20.17.52950 &gt; 172.28.20.111.13409: S 1192817272:1192817272(0) win 5840  in slot1/tmm1 lis=
13:22:28.462095 IP 172.28.20.17.52950 &gt; 200.200.200.101.13409: S 1192817272:1192817272(0) win 5840  out slot1/tmm1 lis=/Common/ftpdta-ext
13:22:28.464143 IP 200.200.200.101.13409 &gt; 172.28.20.17.52950: S 916139666:916139666(0) ack 1192817273 win 5792  in slot1/tmm1 lis=
13:22:28.464200 IP 172.28.20.111.13409 &gt; 172.28.20.17.52950: S 916139666:916139666(0) ack 1192817273 win 5792  out slot1/tmm1 lis=/Common/ftpdta-int

hope this helps.

Forum Discussion

Can an FTP vip maintain the server FTP port?

4 Replies

Recent Discussions

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

Virtual Server to maintain the same destination port to the backend

Response port masking

Multiple Port Load Balancing

Assistance with iRule using port ranges

About SIP port