Forum Discussion
Hi Petak. I think you are mixing things up here. Let me explain.
Regardless which FTP type you are using, the connection will happen between the client and the server. It is the client who requests the type of FTP. The server will just need to be compatible to the respective ftp mode.
Then you have the F5 which is really just a proxy - i.e. it would facilitate the connection between the client and the server; in your case, it will also load balance the requests.
Normally the Active FTP is the default - but that causes problems because the server will at some stage initiate a connection back to the cient. If the client is behind NAT (which is normally the case), you will have problems. Hence the use of Passive-FTP where all needed tcp connections are initiated by the client.
So ...
-
With that said, is there a way to test your client-server passive ftp connection bypassing the F5? For instance, use a client on the same network with the servers sitting "behind" the F5. Does it work? If it doens't work without the F5, it won't work once you introduce the F5 either.
-
Have you assigned the right profile the the VS (FTP profile) in this case?
-
Also, what problems do you actually see? Does it never work? Does it work intermittently?
If my memory is not failing me, I believe I have previously setup FTP passive / active on F5 it was very straight forward. No iRules needed, no fancy configuration at all. One thing you will likely have to do is setup persistence - and that's about as fancy as you gonna get.
But I could be wrong ...
- Petak_333163Nov 07, 2017Nimbostratus
Hi @Gonzalex, first for all, thanks for answer me.
Our Ftp Servers have Pasv_ports defined, so the client receive the pasv_address and the port range that need to go via passive mode.
When I configured the VIP with the preffered configuration to FTP ( Ftp profile ) ( type: standard) (tcp profile ) ( translation auto-map ), the client received a RST ACK trying to do " quote pasv ". If I do the same bypassing the LB, the client receive the port range for passive and connect to the server without issues in pasv mode.
Reading some post about it in this forum, i tried with different combinations, but always with the same results.
So now i have this working with the following configuration
Vip-> Perfomance Layer4 , FastL4 profile, Auto-map, All services. or Vip-> Standard , Tcp profile
If i try to add Ftp profile ( default or with data port "0" ) or if i change the VIP service to FTP, i automatically receive RST ACK from the LB. ( I have also configured a Irule in the VIP that allows port ranges 20-21 & 30001-30020 )
- Gonzalex_330537Nov 07, 2017Cirrostratus
Ok matey. Let me lab this stuff. I'll get back to you. I'm intrigued :)
- Petak_333163Nov 07, 2017Nimbostratus
Thanks :) I'm using vsftpd to the ftp servers with this added configuration
anonymous_enabled=YES pasv_address="Your LB public ip" pasv_min_port=30009 pasv_max_port=30020 pasv_enable=YES
Really thank you ! i hope that you not waste much time helping me. :)
- Gonzalex_330537Nov 07, 2017Cirrostratus
I'm helping myself too ;) It's a good one. Aaaaight ... on it. will take some time to set it up...
- Gonzalex_330537Nov 07, 2017Cirrostratus
just so i replicate like for like. Have you got the local firewall enabled or disabled?
- Petak_333163Nov 07, 2017Nimbostratus
Ftp instances no firewall, just iptables permitting those ports
- Gonzalex_330537Nov 07, 2017Cirrostratus
Ok matey ... got this guy sorted! But you were right. There is something very fishy going on that even the Internet community seems to be fairly clueless about. I'd like to keep myself humble here - I found this solution by pure luck!!!
Initially, I was bumping into a lot of articles about bugs on the F5 itself, particularly dealing with passive FTP. But when checking the version those bugs would apply to, I could't match the code version i'm running - v11.6
Done also quite a few tcpdumps ... surely it was showing me the error but I failed to see it ... maybe I am tired of it LOL.
Luckily, after some configuration changes I noticed the following message: "227 Entering passive Mode (0,0,0,0,129,119)" - I knew that instead of 0.0.0.0, I was suppose to have the IP address of the server. This gave me new ideas...
I then tested the ftp connection from the f5 itself directly to the backend server. Was getting the same message! At this point, I knew it was an issue with vsftpd!
THE FIX
Edit the vsftpd.conf file and remove the pasv_address command. This fixed the problem for me.
My VS looks like this:
ltm virtual vs_ftp { destination 100.100.100.100:ftp ip-protocol tcp mask 255.255.255.255 pool pool_ftp profiles { ftp { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 4 }
VSFTPD is running on CentOS - i've disabled firewalld as well using systemctl stop firewalld command. I don't have iptables running either.
So what can I say ... I hope this fixes the problem for you too.
Let me know! I'm dying to know!
- Gonzalex_330537Nov 07, 2017Cirrostratus
Now ... if it doesn't work, try the following too; i didn't get to try these but I found these suggestions on other sites:
/etc/hosts.allow - add the line "vsftdp : ALL"
then reboot just to make sure.
- Petak_333163Nov 08, 2017Nimbostratus
Hi @Gonzalex , sorry for the delay, I was doing other stuff and i didn't check the email notification, sorry about that.
I replicated the exactly configuration that you posted and also i deleted the " pasv_address " on the ftp servers. The connection work as normal, but when you request enter into passive mode " quote pasv " ( via terminal ) or using a client like " FileZilla " , the connection die in my lab.
Here is my config:
ltm virtual TEST2-VS { destination 10.0.150.94:ftp ip-protocol tcp mask 255.255.255.255 pool TEST2-pool profiles { ftp { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 3 }
I edited the file Host.allow too, but the result was the same.
Shall we find the solution or not, I would like to thank you for spending your time to help me
I will be here continue working on this and other issues that i have with this product hahaha :)
- Gonzalex_330537Nov 08, 2017Cirrostratus
Hi Petak. When you say the connection dies, what do you mean? Are you getting different results than before? No more errors? Is it just the session that hangs? What version of code are you running?
Few more suggestions:
-
Upgrade the F5 - In my research, I did find a lot of other people having problems with Passive-FTP due to how translations are done or even due to the F5 not passing the correct PASV ftp string back to the client. For those people, the prob was fixed by an upgrade
-
My setup includes a one server pool only; try use one server as well ... just to rule out LB algorithms, persistency and things like that
-
Try another ftp server - don't just exclude the possibility of vsftpd being broken. Lots of people having Passive FTP probs with vsftpd
Other than that, I'm out of ideas. :(
-