I've seen a few post regarding some of the roadblocks with getting FTP over SSH to work. But I have reviewed my config and having issues. Configured VIP on port 22 with SNAT automap, and the servers are listening on port 5022. Also using L4 profile and source_addr. When I attempt to login I get the "fingerprint ssh-rsa" but after that I get "authentication failed". Is there some other parameter I'm missing thats preventing this from working?? Thanks for the help!

Gah, I did SFTP before but cannot remember whether I had to use an ftp profile for it. Have you done a packet capture to check how things look? Auth failed is coming right away, or after you try logging in?

We currently do STFP in our environment. Server listens on TCP 2222 VIP is configured for SSH We used Standard with no properties modified at all. (Default TCP profile -- not FTP) We also did not need SNAT Automap, but I'm not sure if your server has the F5 as the default gateway or not.

Posted By wtwagon on 02/08/2011 06:25 AM We currently do STFP in our environment. Server listens on TCP 2222 VIP is configured for SSH We used Standard with no properties modified at all. (Default TCP profile -- not FTP) We also did not need SNAT Automap, but I'm not sure if your server has the F5 as the default gateway or not. Thanks for responding! I unfortunately don't have access to the boxes on which I'd configured SFTP. So basically tcp/22 worked fine for you.

I noticied that I don't see any trace of the SNAT address with the tcpdump.. only the self ip during the failed login. and thats with SNAT automap enabled. So it sounds like if we do not use SNAT, the server must point directly to the self ip ?? 17:48:56.986258 IP x.22.169.241.1028 > x.36.172.x.ssh: S 758488788:758488788(0) win 65535 17:48:56.986703 IP x.36.172.x.ssh > x.22.169.241.1028: S 1025121854:1025121854(0) ack 758488789 win 5840 17:48:57.043374 IP x.22.169.241.1028 > x.36.172.x.ssh: . ack 1 win 32768 17:48:57.047688 IP x.36.172.x.ssh > x.22.169.241.1028: P 1:21(20) ack 1 win 46 17:48:57.103653 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1:44(43) ack 21 win 32767 17:48:57.103931 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 44 win 46 17:48:57.104957 IP x.36.172.x.ssh > x.22.169.241.1028: P 21:725(704) ack 44 win 46 17:48:57.109600 IP x.22.169.241.1028 > x.36.172.x.ssh: P 44:556(512) ack 21 win 32767 17:48:57.109604 IP x.22.169.241.1028 > x.36.172.x.ssh: P 556:684(128) ack 21 win 32767 17:48:57.109933 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 684 win 63 17:48:57.165816 IP x.22.169.241.1028 > x.36.172.x.ssh: P 684:700(16) ack 725 win 32762 17:48:57.167874 IP x.36.172.x.ssh > x.22.169.241.1028: P 725:1005(280) ack 700 win 63 17:48:57.256547 IP x.22.169.241.1028 > x.36.172.x.ssh: P 700:972(272) ack 1005 win 32760 17:48:57.263654 IP x.36.172.x.ssh > x.22.169.241.1028: P 1005:1853(848) ack 972 win 71 17:48:57.355642 IP x.22.169.241.1028 > x.36.172.x.ssh: P 972:988(16) ack 1853 win 32768 17:48:57.355650 IP x.22.169.241.1028 > x.36.172.x.ssh: P 988:1040(52) ack 1853 win 32768 17:48:57.355870 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 1040 win 71 17:48:57.355928 IP x.36.172.x.ssh > x.22.169.241.1028: P 1853:1905(52) ack 1040 win 71 17:48:57.415586 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1040:1108(68) ack 1905 win 32767 17:48:57.419579 IP x.36.172.x.ssh > x.22.169.241.1028: P 1905:1989(84) ack 1108 win 71 17:48:57.482899 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1108:1404(296) ack 1989 win 32766 17:48:57.523566 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 1404 win 80 17:49:00.070659 IP x.36.172.x.ssh > x.22.169.241.1028: P 1989:2073(84) ack 1404 win 80 17:49:00.209323 IP x.22.169.241.1028 > x.36.172.x.ssh: R 1404:1404(0) ack 2073 win 0 17:49:14.280379 IP x.22.169.241.iad3 > x.36.172.x.ssh: S 4106293492:4106293492(0) win 65535 17:49:14.280606 IP x.36.172.x.ssh > x.22.169.241.iad3: S 3350075743:3350075743(0) ack 4106293493 win 5840 17:49:14.337254 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 1 win 32768 17:49:14.341342 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1:21(20) ack 1 win 46 17:49:14.399249 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1:44(43) ack 21 win 32767 17:49:14.399902 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 44 win 46 17:49:14.400284 IP x.36.172.x.ssh > x.22.169.241.iad3: P 21:725(704) ack 44 win 46 17:49:14.403021 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 44:556(512) ack 21 win 32767 17:49:14.403026 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 556:684(128) ack 21 win 32767 17:49:14.403247 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 684 win 63 17:49:14.457271 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 684:700(16) ack 725 win 32762 17:49:14.459805 IP x.36.172.x.ssh > x.22.169.241.iad3: P 725:1005(280) ack 700 win 63 17:49:14.548367 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 700:972(272) ack 1005 win 32760 17:49:14.555198 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1005:1853(848) ack 972 win 71 17:49:14.746744 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 1853 win 32768 17:49:28.156578 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 972:988(16) ack 1853 win 32768 17:49:28.157029 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 988:1040(52) ack 1853 win 32768 17:49:28.157251 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 1040 win 71 17:49:28.157255 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1853:1905(52) ack 1040 win 71 17:49:28.216186 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1040:1108(68) ack 1905 win 32767 17:49:28.219039 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1905:1989(84) ack 1108 win 71 17:49:28.356048 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1108:1404(296) ack 1989 win 32766 17:49:28.396201 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 1404 win 80 17:49:29.760217 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1989:2073(84) ack 1404 win 80 17:49:30.033536 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 2073 win 32766 17:49:30.128949 IP x.22.169.241.iad3 > x.36.172.x.ssh: R 1404:1404(0) ack 2073 win 0

FTP over SSH Issue | DevCentral

15 Replies

Chris_Miller
Altostratus
Feb 08, 2011
Gah, I did SFTP before but cannot remember whether I had to use an ftp profile for it.

Have you done a packet capture to check how things look? Auth failed is coming right away, or after you try logging in?
wtwagon_99154
Nimbostratus
Feb 08, 2011
We currently do STFP in our environment.

Server listens on TCP 2222

VIP is configured for SSH

We used Standard with no properties modified at all. (Default TCP profile -- not FTP) We also did not need SNAT Automap, but I'm not sure if your server has the F5 as the default gateway or not.
Chris_Miller
Altostratus
Feb 08, 2011
Posted By wtwagon on 02/08/2011 06:25 AM

We currently do STFP in our environment.

Server listens on TCP 2222

VIP is configured for SSH

We used Standard with no properties modified at all. (Default TCP profile -- not FTP) We also did not need SNAT Automap, but I'm not sure if your server has the F5 as the default gateway or not.

Thanks for responding! I unfortunately don't have access to the boxes on which I'd configured SFTP. So basically tcp/22 worked fine for you.
wtwagon_99154
Nimbostratus
Feb 08, 2011
Yes, no issues whatsoever.
cxcal_18687
Nimbostratus
Feb 08, 2011
I noticied that I don't see any trace of the SNAT address with the tcpdump.. only the self ip during the failed login. and thats with SNAT automap enabled.

So it sounds like if we do not use SNAT, the server must point directly to the self ip ??

17:48:56.986258 IP x.22.169.241.1028 > x.36.172.x.ssh: S 758488788:758488788(0) win 65535

17:48:56.986703 IP x.36.172.x.ssh > x.22.169.241.1028: S 1025121854:1025121854(0) ack 758488789 win 5840

17:48:57.043374 IP x.22.169.241.1028 > x.36.172.x.ssh: . ack 1 win 32768

17:48:57.047688 IP x.36.172.x.ssh > x.22.169.241.1028: P 1:21(20) ack 1 win 46

17:48:57.103653 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1:44(43) ack 21 win 32767

17:48:57.103931 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 44 win 46

17:48:57.104957 IP x.36.172.x.ssh > x.22.169.241.1028: P 21:725(704) ack 44 win 46

17:48:57.109600 IP x.22.169.241.1028 > x.36.172.x.ssh: P 44:556(512) ack 21 win 32767

17:48:57.109604 IP x.22.169.241.1028 > x.36.172.x.ssh: P 556:684(128) ack 21 win 32767

17:48:57.109933 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 684 win 63

17:48:57.165816 IP x.22.169.241.1028 > x.36.172.x.ssh: P 684:700(16) ack 725 win 32762

17:48:57.167874 IP x.36.172.x.ssh > x.22.169.241.1028: P 725:1005(280) ack 700 win 63

17:48:57.256547 IP x.22.169.241.1028 > x.36.172.x.ssh: P 700:972(272) ack 1005 win 32760

17:48:57.263654 IP x.36.172.x.ssh > x.22.169.241.1028: P 1005:1853(848) ack 972 win 71

17:48:57.355642 IP x.22.169.241.1028 > x.36.172.x.ssh: P 972:988(16) ack 1853 win 32768

17:48:57.355650 IP x.22.169.241.1028 > x.36.172.x.ssh: P 988:1040(52) ack 1853 win 32768

17:48:57.355870 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 1040 win 71

17:48:57.355928 IP x.36.172.x.ssh > x.22.169.241.1028: P 1853:1905(52) ack 1040 win 71

17:48:57.415586 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1040:1108(68) ack 1905 win 32767

17:48:57.419579 IP x.36.172.x.ssh > x.22.169.241.1028: P 1905:1989(84) ack 1108 win 71

17:48:57.482899 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1108:1404(296) ack 1989 win 32766

17:48:57.523566 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 1404 win 80

17:49:00.070659 IP x.36.172.x.ssh > x.22.169.241.1028: P 1989:2073(84) ack 1404 win 80

17:49:00.209323 IP x.22.169.241.1028 > x.36.172.x.ssh: R 1404:1404(0) ack 2073 win 0

17:49:14.280379 IP x.22.169.241.iad3 > x.36.172.x.ssh: S 4106293492:4106293492(0) win 65535

17:49:14.280606 IP x.36.172.x.ssh > x.22.169.241.iad3: S 3350075743:3350075743(0) ack 4106293493 win 5840

17:49:14.337254 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 1 win 32768

17:49:14.341342 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1:21(20) ack 1 win 46

17:49:14.399249 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1:44(43) ack 21 win 32767

17:49:14.399902 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 44 win 46

17:49:14.400284 IP x.36.172.x.ssh > x.22.169.241.iad3: P 21:725(704) ack 44 win 46

17:49:14.403021 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 44:556(512) ack 21 win 32767

17:49:14.403026 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 556:684(128) ack 21 win 32767

17:49:14.403247 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 684 win 63

17:49:14.457271 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 684:700(16) ack 725 win 32762

17:49:14.459805 IP x.36.172.x.ssh > x.22.169.241.iad3: P 725:1005(280) ack 700 win 63

17:49:14.548367 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 700:972(272) ack 1005 win 32760

17:49:14.555198 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1005:1853(848) ack 972 win 71

17:49:14.746744 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 1853 win 32768

17:49:28.156578 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 972:988(16) ack 1853 win 32768

17:49:28.157029 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 988:1040(52) ack 1853 win 32768

17:49:28.157251 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 1040 win 71

17:49:28.157255 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1853:1905(52) ack 1040 win 71

17:49:28.216186 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1040:1108(68) ack 1905 win 32767

17:49:28.219039 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1905:1989(84) ack 1108 win 71

17:49:28.356048 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1108:1404(296) ack 1989 win 32766

17:49:28.396201 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 1404 win 80

17:49:29.760217 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1989:2073(84) ack 1404 win 80

17:49:30.033536 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 2073 win 32766

17:49:30.128949 IP x.22.169.241.iad3 > x.36.172.x.ssh: R 1404:1404(0) ack 2073 win 0
Chris_Miller
Altostratus
Feb 08, 2011
SNAT automap uses the Self-IP (the floating one if defined) of the VLAN facing the pool member, so that's the expected behavior. If you want to use something else, you need to use a SNAT Pool.
cxcal_18687
Nimbostratus
Feb 08, 2011
Currently have one SNAT address configured with this setup.
hoolio
Cirrostratus
Feb 08, 2011
If you have an IP address defined in a SNAT pool and have added that SNAT pool to the virtual server, you should see that address as the source on serverside traffic. Else, as Chris said, with Automap, LTM will select the floating self IP on the serverside VLAN to source the traffic.

Aaron
cxcal_18687
Nimbostratus
Feb 08, 2011
Gotcha...

I will make that change this afternoon.

Thanks Guys.. I'll keep you posted.
cxcal_18687
Nimbostratus
Feb 08, 2011
Ok... I'm at a loss.

Added the SNAT pool to the VIP gives the same results ... authenitication failure.