I've seen a few post regarding some of the roadblocks with getting FTP over SSH to work. But I have reviewed my config and having issues. Configured VIP on port 22 with SNAT automap, and the servers are listening on port 5022. Also using L4 profile and source_addr. When I attempt to login I get the "fingerprint ssh-rsa" but after that I get "authentication failed". Is there some other parameter I'm missing thats preventing this from working?? Thanks for the help!

Gah, I did SFTP before but cannot remember whether I had to use an ftp profile for it. Have you done a packet capture to check how things look? Auth failed is coming right away, or after you try logging in?

We currently do STFP in our environment. Server listens on TCP 2222 VIP is configured for SSH We used Standard with no properties modified at all. (Default TCP profile -- not FTP) We also did not need SNAT Automap, but I'm not sure if your server has the F5 as the default gateway or not.

Posted By wtwagon on 02/08/2011 06:25 AM We currently do STFP in our environment. Server listens on TCP 2222 VIP is configured for SSH We used Standard with no properties modified at all. (Default TCP profile -- not FTP) We also did not need SNAT Automap, but I'm not sure if your server has the F5 as the default gateway or not. Thanks for responding! I unfortunately don't have access to the boxes on which I'd configured SFTP. So basically tcp/22 worked fine for you.

I noticied that I don't see any trace of the SNAT address with the tcpdump.. only the self ip during the failed login. and thats with SNAT automap enabled. So it sounds like if we do not use SNAT, the server must point directly to the self ip ?? 17:48:56.986258 IP x.22.169.241.1028 > x.36.172.x.ssh: S 758488788:758488788(0) win 65535 17:48:56.986703 IP x.36.172.x.ssh > x.22.169.241.1028: S 1025121854:1025121854(0) ack 758488789 win 5840 17:48:57.043374 IP x.22.169.241.1028 > x.36.172.x.ssh: . ack 1 win 32768 17:48:57.047688 IP x.36.172.x.ssh > x.22.169.241.1028: P 1:21(20) ack 1 win 46 17:48:57.103653 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1:44(43) ack 21 win 32767 17:48:57.103931 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 44 win 46 17:48:57.104957 IP x.36.172.x.ssh > x.22.169.241.1028: P 21:725(704) ack 44 win 46 17:48:57.109600 IP x.22.169.241.1028 > x.36.172.x.ssh: P 44:556(512) ack 21 win 32767 17:48:57.109604 IP x.22.169.241.1028 > x.36.172.x.ssh: P 556:684(128) ack 21 win 32767 17:48:57.109933 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 684 win 63 17:48:57.165816 IP x.22.169.241.1028 > x.36.172.x.ssh: P 684:700(16) ack 725 win 32762 17:48:57.167874 IP x.36.172.x.ssh > x.22.169.241.1028: P 725:1005(280) ack 700 win 63 17:48:57.256547 IP x.22.169.241.1028 > x.36.172.x.ssh: P 700:972(272) ack 1005 win 32760 17:48:57.263654 IP x.36.172.x.ssh > x.22.169.241.1028: P 1005:1853(848) ack 972 win 71 17:48:57.355642 IP x.22.169.241.1028 > x.36.172.x.ssh: P 972:988(16) ack 1853 win 32768 17:48:57.355650 IP x.22.169.241.1028 > x.36.172.x.ssh: P 988:1040(52) ack 1853 win 32768 17:48:57.355870 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 1040 win 71 17:48:57.355928 IP x.36.172.x.ssh > x.22.169.241.1028: P 1853:1905(52) ack 1040 win 71 17:48:57.415586 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1040:1108(68) ack 1905 win 32767 17:48:57.419579 IP x.36.172.x.ssh > x.22.169.241.1028: P 1905:1989(84) ack 1108 win 71 17:48:57.482899 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1108:1404(296) ack 1989 win 32766 17:48:57.523566 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 1404 win 80 17:49:00.070659 IP x.36.172.x.ssh > x.22.169.241.1028: P 1989:2073(84) ack 1404 win 80 17:49:00.209323 IP x.22.169.241.1028 > x.36.172.x.ssh: R 1404:1404(0) ack 2073 win 0 17:49:14.280379 IP x.22.169.241.iad3 > x.36.172.x.ssh: S 4106293492:4106293492(0) win 65535 17:49:14.280606 IP x.36.172.x.ssh > x.22.169.241.iad3: S 3350075743:3350075743(0) ack 4106293493 win 5840 17:49:14.337254 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 1 win 32768 17:49:14.341342 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1:21(20) ack 1 win 46 17:49:14.399249 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1:44(43) ack 21 win 32767 17:49:14.399902 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 44 win 46 17:49:14.400284 IP x.36.172.x.ssh > x.22.169.241.iad3: P 21:725(704) ack 44 win 46 17:49:14.403021 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 44:556(512) ack 21 win 32767 17:49:14.403026 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 556:684(128) ack 21 win 32767 17:49:14.403247 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 684 win 63 17:49:14.457271 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 684:700(16) ack 725 win 32762 17:49:14.459805 IP x.36.172.x.ssh > x.22.169.241.iad3: P 725:1005(280) ack 700 win 63 17:49:14.548367 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 700:972(272) ack 1005 win 32760 17:49:14.555198 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1005:1853(848) ack 972 win 71 17:49:14.746744 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 1853 win 32768 17:49:28.156578 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 972:988(16) ack 1853 win 32768 17:49:28.157029 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 988:1040(52) ack 1853 win 32768 17:49:28.157251 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 1040 win 71 17:49:28.157255 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1853:1905(52) ack 1040 win 71 17:49:28.216186 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1040:1108(68) ack 1905 win 32767 17:49:28.219039 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1905:1989(84) ack 1108 win 71 17:49:28.356048 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1108:1404(296) ack 1989 win 32766 17:49:28.396201 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 1404 win 80 17:49:29.760217 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1989:2073(84) ack 1404 win 80 17:49:30.033536 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 2073 win 32766 17:49:30.128949 IP x.22.169.241.iad3 > x.36.172.x.ssh: R 1404:1404(0) ack 2073 win 0

FTP over SSH Issue | DevCentral

15 Replies

cxcal_18687
Nimbostratus
Feb 08, 2011
I see the traffic coming from the SNAT Pool (as recommended)

But continue to get resets:

13:17:06.024453 IP 10.6.172.231.ssh > 10.6.172.226.50469: P 1989:2073(84) ack 1404 win 80

13:17:06.024472 IP 10.6.172.243.ssh > 172.30.202.61.50469: P 1989:2073(84) ack 1404 win 80

13:17:06.083026 IP 172.30.202.61.50469 > 10.6.172.243.ssh: R 1404:1404(0) ack 2073 win 0

13:17:06.083032 IP 10.6.172.226.50469 > 10.6.172.231.ssh: R 1404:1404(0) ack 2073 win 0
cxcal_18687
Nimbostratus
Feb 08, 2011
I noticed with SmartFTP client that when I attempted to connect thru the VIP it complains about:

[15:43:21] Client to Server Encryption: aes128-ctr

[15:43:21] Server to Client Encryption: aes128-ctr

[15:43:21] Session MAC: hmac-sha1

[15:43:21] Client to Server Compression: zlib@openssh.com

[15:43:21] Server to Client Compression: zlib@openssh.com

[15:43:21] Requesting service "ssh-userauth".

[15:43:21] RTT: 197.205 ms

[15:43:21] Authentication request. Method: none

[15:43:21] Server supported authentications: publickey,gssapi-with-mic,password

[15:43:21] Authentication request. Method: password

[15:43:24] Authentication request. Method: gssapi-with-mic

[15:43:24] User authentication failed

When I connect directly to the server on port 5022, I get connected with no issues:

[15:40:37] Client to Server Encryption: aes128-cbc

[15:40:37] Server to Client Encryption: aes128-cbc

[15:40:37] Session MAC: hmac-sha1

[15:40:37] Client to Server Compression: none

[15:40:37] Server to Client Compression: none

[15:40:37] Requesting service "ssh-userauth".

[15:40:37] RTT: 53.458 ms

[15:40:37] Authentication request. Method: none

[15:40:37] Server supported authentications: keyboard-interactive,publickey,password

[15:40:37] Authentication request. Method: password

[15:40:37] User authentication successful.

[15:40:37] SSH session established

The difference I noticed was with the 1st two lines (aes128-cbc) compared to (aes128-ctr) on the failed login from the VIP.

Is this something that can be changed on the LTM?
hoolio
Cirrostratus
Feb 08, 2011
Can you enable debug on the client and SSH server to see what is failing? If connections direct to the SSH server work, but fail through the virtual server, I'd guess the issue is with the source IP address. You might need to add the LTM SNAT address to the allowed client list on the SSH server config.

You can enable debug on the client using ssh -vvv. For sshd, you can change the LogLevel from Notice to Default.

Aaron
cxcal_18687
Nimbostratus
Feb 08, 2011
I will see if I can get the server team to mod the server configs as a test.
cxcal_18687
Nimbostratus
Feb 08, 2011
Fixed!!

Root Cause:

When I created the pool they were set to listen on "Any" (don't ask me why).

Recreated the pool with the correct port and case closed!

Thanks for your time.

Forum Discussion

FTP over SSH Issue

15 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

How to run an FTP server on Kubernetes with F5 BIG-IP

FTP Session Logging

FTPS Offload via iRules

iRule Security 101 - #07 - FTP Proxy

FTP issue on LTM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS