For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nadeem_68217's avatar
Nadeem_68217
Icon for Nimbostratus rankNimbostratus
Jun 03, 2011

Active ftp

I implement new F5 BigIP running version 10.2.1.HF2. All my users can’t ftp out in active ftp mode. Passive ftp mode is working. I need help to configure F5 to enable my active ftp mode in my F5. Please send me the link or any recommendation. Thanks
config
design

9 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 03, 2011
    Hi Nadeem,

     

     

    Do you have a virtual server defined to pass this traffic or is it going through a default SNAT? Have you tried searching for "active FTP" on AskF5.com?

     

     

    Aaron
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 03, 2011
    i think this's the one Aaron mentioned.

     

     

    sol8021: Configuring the BIG-IP LTM to allow outbound FTP sessions

     

    http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8021.html

     

     

    cheer!
  • Nadeem_68217's avatar
    Nadeem_68217
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2011
    I created virtual server for my outboud ftp site and follow the instruction from SOL8021 but still having issue. I also found SOL6557 but both solution did not help my active ftp issue.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 04, 2011
    this is mine. 

    
[root@camellia:Active] config  b version|grep -iA 1 version
BIG-IP Version 10.2.0 1707.0
Final Edition
[root@camellia:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination any:ftp
   mask 0.0.0.0
   ip protocol tcp
   profiles {
      ftp {}
      tcp {}
   }
}
[root@camellia:Active] config  b pool foo list
pool foo {
   members 172.28.17.254:any {}
}


    
 ftp 172.28.26.70
Connected to 172.28.26.70 (172.28.26.70).
220 (vsFTPd 2.0.6)
Name (172.28.26.70:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    4 1001     1001         4096 May 12  2010 F5
drwxr-xr-x    6 1000     1001         4096 Nov 15  2009 Software
drwxr-xr-x    2 1000     1000         4096 Apr 11 09:22 build
drwxr-xr-x   10 1000     1001         4096 Jul 14  2009 esxitemplate
drwxr-xr-x   13 1000     1001         4096 Apr 08 18:07 f5ftpmirror
drwxr-x--x    4 1000     1001         4096 Jun 07  2010 hotfixmirror
drwxrwxrwx    7 1001     1001         4096 May 17 02:33 tmp
226 Directory send OK.


    
] netstat -tan|grep 172.28.26.70
tcp   100896      0 10.10.70.110:4861       172.28.26.70:20         ESTABLISHED
tcp        0      0 10.10.70.110:2791       172.28.26.70:21         ESTABLISHED

    is there anything i missed?

    have u run tcpdump? isn't it helpful?

    tcpdump -nni 0.0:nnn -s0 -w host or host

    cheer!
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 04, 2011
    don't know why config wasn't shown. put it again here.

     

     

    [root@camellia:Active] config b version|grep -iA 1 version

     

    BIG-IP Version 10.2.0 1707.0

     

    Final Edition

     

    [root@camellia:Active] config b virtual bar list

     

    virtual bar {

     

    snat automap

     

    pool foo

     

    destination any:ftp

     

    mask 0.0.0.0

     

    ip protocol tcp

     

    profiles {

     

    ftp {}

     

    tcp {}

     

    }

     

    }

     

    [root@camellia:Active] config b pool foo list

     

    pool foo {

     

    members 172.28.17.254:any {}

     

    }

     

     

     

    ftp 172.28.26.70

     

    Connected to 172.28.26.70 (172.28.26.70).

     

    220 (vsFTPd 2.0.6)

     

    Name (172.28.26.70:root): anonymous

     

    331 Please specify the password.

     

    Password:

     

    230 Login successful.

     

    Remote system type is UNIX.

     

    Using binary mode to transfer files.

     

    ftp> passive

     

    Passive mode off.

     

    ftp> ls

     

    200 PORT command successful. Consider using PASV.

     

    150 Here comes the directory listing.

     

    drwxrwxrwx 4 1001 1001 4096 May 12 2010 F5

     

    drwxr-xr-x 6 1000 1001 4096 Nov 15 2009 Software

     

    drwxr-xr-x 2 1000 1000 4096 Apr 11 09:22 build

     

    drwxr-xr-x 10 1000 1001 4096 Jul 14 2009 esxitemplate

     

    drwxr-xr-x 13 1000 1001 4096 Apr 08 18:07 f5ftpmirror

     

    drwxr-x--x 4 1000 1001 4096 Jun 07 2010 hotfixmirror

     

    drwxrwxrwx 7 1001 1001 4096 May 17 02:33 tmp

     

    226 Directory send OK.

     

     

    netstat -tan|grep 172.28.26.70

     

    tcp 100896 0 10.10.70.110:4861 172.28.26.70:20 ESTABLISHED

     

    tcp 0 0 10.10.70.110:2791 172.28.26.70:21 ESTABLISHED

     

     

    tcpdump command:

     

    tcpdump -nni 0.0:nnn -s0 -w output_file host ftp_server_ip

     

     

    hth
  • Nadeem_68217's avatar
    Nadeem_68217
    Icon for Nimbostratus rankNimbostratus
    Jun 07, 2011
    I ran many tcpdump and found that I get connect but when ftp request for directory listing it keep retrying.

     

    Response: 200 command okey, after this line I see retries and fail. It only heppen when I use active ftp, my passive ftp work fine.

     

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 08, 2011
    is there any suspicious while connection keeps retrying e.g. src port, dst port, seq number?

     

     

    is it possible to try another ftp server e.g. another ftp software?
  • Nadeem_68217's avatar
    Nadeem_68217
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2011
    I found the problem, I have Cisco ASA5585 and running 8.4(1), it is cisco IOS bug [ CSCto09465 FTP transfers fail with NAT configured on multi-core ASAs (5580/5585)] This problem is fixed in new IOS asa841-13-smp-k8.bin.