Forum Discussion
BigIP LTM port translation - port selection process
Hey folks,
We have a load-balanced FTP server system that formerly resided behind an F5 3400 running BigIP LTM 10.0.1. We have recently moved it to a new F5, a 3900 running version 10.2.4. On both load balancers, the F5 was/is doing port translation on some of the active mode FTP connections from clients connecting to the FTP pool (I believe the pool was set to "Preserve" but not "Preserve Strict", so sometimes it would pass through the client-supplied port number and sometimes it would translate it). On the 3400/10.0.1 system, the ports being assigned when port translation was in effect were assigned sequentially (sometimes skipping a few numbers here and there, but always incrementing in sequence). However, on the new 3900/10.2.4 system, the ports being assigned for translation appear to be completely random. This is causing an issue with a couple of clients who perform a large number of active mode FTP data connections (dozens or hundreds) in one command session; the F5 is regularly attempting to reuse one of the randomly selected port numbers that it already used for a previous (now closed) active mode data connection for the same client a few seconds before. The problem is that the prior connection that was using that port is still in TIME_WAIT on the server (which lasts for 60 seconds, the OS default), so when the server tries to open a new connection to the same IP using the same port, it fails. This causes the entire FTP job on the connecting client to fail.
Is there any way to control the behavior of the port selection process on the 3900/10.2.4 F5 when doing port translation, e.g. make it assign ports in sequence like the old 3400/10.0.1 instead of randomly, or somehow prevent it from attempting to reuse the same randomly selected port number until a certain amount of time has passed (or even prevent it from reusing a port at all for data connections established by the same FTP command session)?
Thanks,
Dennis K
- nitass_89166Noctilucent
On the 3400/10.0.1 system, the ports being assigned when port translation was in effect were assigned sequentially (sometimes skipping a few numbers here and there, but always incrementing in sequence). However, on the new 3900/10.2.4 system, the ports being assigned for translation appear to be completely random.
i guess it is because 3400 does not support cmp but 3900. not sure if disabling cmp is a good idea, it may have some workaround for this.
sol7751: Overview of Clustered Multiprocessing (9.x - 10.x)
- DennyK_144735NimbostratusThanks for the reply; not a bad notion, but unfortunately it doesn't look like that's the cause here. We tried disabling CMP for the VIP that our client is using, but the ports being assigned during port translation are still completely random and still occasionally repeat too quickly, causing the same issue.
- nitassEmployee
On the 3400/10.0.1 system, the ports being assigned when port translation was in effect were assigned sequentially (sometimes skipping a few numbers here and there, but always incrementing in sequence). However, on the new 3900/10.2.4 system, the ports being assigned for translation appear to be completely random.
i guess it is because 3400 does not support cmp but 3900. not sure if disabling cmp is a good idea, it may have some workaround for this.
sol7751: Overview of Clustered Multiprocessing (9.x - 10.x)
- DennyK_144735NimbostratusThanks for the reply; not a bad notion, but unfortunately it doesn't look like that's the cause here. We tried disabling CMP for the VIP that our client is using, but the ports being assigned during port translation are still completely random and still occasionally repeat too quickly, causing the same issue.
- DennyK_144735Nimbostratus
Well, we have found a workaround that resolves this issue; when we set the Source Port setting to "Change" instead of "Preserve", the translated ports it assigns are chosen sequentially instead of randomly, which resolves the issue with ports being re-used too quickly. Don't know why the assigned ports are random with "Preserve" but sequential with "Change", but it does fix the problem.
- When you set source port to "preserve" or "preserve strict", the incoming port used by the client accessing will be used. That port is typically chosen at random by the network stack on the client; so the apparent randomness you're seeing on the F5 is a result of the F5 simply using that randomly-selected port. And if you have multiple clients incoming, it is possible to get conflicts (unless you e.g. set up a large SNAT pool).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com