Forum Discussion

syedimam_147051's avatar
syedimam_147051
Icon for Nimbostratus rankNimbostratus
Feb 26, 2016

Passive FTP failing, F5 send TCP RST after receiving Entering Passive mode from server

Hi Pretty standard setup Passive FTP Control port 10021 Data ports 50251-50500

 

Configuration

 

VIP: 192.168.152.8 (Open for all ports) Auto SNAT (interface and pool members on same vlan) Profile Basic FTP Profile Basic TCP client/server profile

 

Self IP: 10.57.152.6 Pool: 10.57.152.6 (open for all ports)

 

Problem:

 

With basic FTP profile, F5 send TCP RST as soon as it receives response of PASV request from server that it entering into passive mode.

 

If we aremove FTP profile and use basic TCP Profile, it works fine.

 

TCP Reset from F5 self ip to backend

 

 

TCP Reset from F5 to Client

 

Passive IP: F5 VIP (192.168.152.8) Passive Port 50252 Passive IP NAT: True

 

 

Thanks Syed

 

  • Self IP: 10.57.152.6 Pool: 10.57.152.6 (open for all ports)

    pool is 10.57.152.7, isn't it?

    can you post both client-side and server-side trace?

    e.g.

     tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.cap host 192.168.152.8 or host 10.57.152.7 -v
    
  • Hi Sorry, it was a typo. Indeed, .6 is floating IP to carry traffic and .7 is the Pool. Results attached. I have tested this in lab as well and results are same. Server listning on ports 5000-6000, with only TCP profile traffic works fine. With FTP profile, F5 sending RST after getting entering into passive mode from server. Also tried following iRule and exactly same results. when SERVER_CONNECTED { FTP::port 5000 5999 } F5 to Server

     

     

     

     

    Client to F5

     

     

     

     

  • Try creating a non-default ftp profile and allow ANY data port.

    Per default, only port 20 is allowed:

        list ltm profile ftp /Common/ftp all-properties 
       ltm profile ftp /Common/ftp { 
           app-service none 
           defaults-from none    
           description none 
           inherit-parent-profile disabled 
           log-profile none 
           log-publisher none 
           partition Common 
           --> port ftp-data <-- 
           security disabled 
           translate-extended enabled 
        }
    

    try using this instead:

    ltm profile ftp ftp_dataport_any { 
        app-service none 
        defaults-from /Common/ftp 
        --> port any <-- 
    } 
    

    With this profile, you also should not need to enable the virtual on any port, but on the desired ftp-control port only (in your case 10021).

    HTH Martin

  • PROD environment works fine with iRule but it is failing in the lab. I checked and server ports are in same range.

     

    have you captured packet? what did you see there?