Forum Discussion
CirrostratusFTPS load balancing
Hi All
I have setup a ftps pas through load balancing setup . Everything is working fine , connection flow :
Three way handshake response from the server to the client response :service ready for new user
client acks it
FTP banner sent by ftp sever to client
Client sents Auth :TLS
Server sents 234 Auth command ok . Excepting TLS negotiation.
Client sends Request i think for the server certificate Server Acks it
then connection timeouts after 120 seconds and client sends
Request: quit which i think is default tileout for client . this connection is closed by client
But Vip connection is still up and sends the response the certificate to the client
But client sends RST as it is not listening on it any more .
Note:Server = VIP
but when user access directly bypassing LTM connection is quick within seconds .
What can be issue for this delay . Can it be ftp profile set on the VS as it is ftps ?
VS setting : Listening on port 21 backend servers also port 21 SNAT2VIP profiles:TCP,FTP
Thanks in advance
8 Replies
mimlo_61970Cumulonimbus
See this article.
http://support.f5.com/kb/en-us/solutions/public/9000/300/sol9347.html
I think you need to use a FastL4 virtual listening on all ports, and there are also some implications with addressing as the LTM cannot rewrite the encrypted packets to modify the addresses within. The FTPS server needs to think it has the IP address of the virtual server.
SynACk_128568Hi Mimlo,
Thanks for your reply . Will check it out .
Mahmoud_Eldeeb_Hello look at below link, i thought it is helpful for you http://support.f5.com/kb/en-us/solutions/public/9000/300/sol9347.html
- SynACk_128568
hi All ,
But i am not understanding my the LTM is taking time to send the response and also if client increases timeout it doesn't matter .
Also can you someone explain why is VIP Ip is needed to be configured on loop back .
- mimlo_61970
FTPS, like FTP, has 2 connections. One is the control, the other is the data. You initially connect over the control, and then when you need to transfer data(which includes everything from transferring files to listing directories), the control channel negotiates the parameters for the data channel. In that control packet, is the IP address of the server. In other words, it doesn't just connect to the same IP the control connected to, it actually connects to the IP address and port in the packet. With FTP aware devices like a firewall or LTM with FTP profile, the device rewrites the control packet to replace the IP address with the proper internal addresses to make everyone happy. Being that this is FTPS and the LTM cannot decrypt the control packet and make changes to it, the backend server needs to believe it has the VIP address to create a proper control packet that the client can connect to.
I believe this is only the case with Passive connections. With Active mode, the IP address of the client is in the control packet, thus probably making a SNAT setup break.
- SynACk_128568
Hi Mimlo, Thanks for the explanation. So when the server replies will it bypass the LTM or it will just add the VIP IP and port to the control packet and send it to the VIP . Also existing set up is like this : inserted packet capture between Vip source and pool memeber destiantion.  virtual abd_21 { pool abd_21 destination 1.2.3.4:21 ip protocol 6 rules SNAT2VIP profiles { ftp {} tcp {} } } virtual abd_443 { pool abd_443 destination 1.2.3.4:443 ip protocol 6 rules SNAT2VIP persist src_ip_1800 profiles fastL4 {} } - mimlo_61970
Because of the SNAT, the traffic will be returned through the LTM. The purpose of the loopback/masquerade address is just to put the VIP in the packet so the client at the far end gets the correct IP to conenct to.
- SynACk_128568thanks for the explanation that clear the confusion . but i dont understand why pool members is responding after 120 seconds . even if VIP is not configured , server can give it's IP and port to client and then it should fail . Also VIP is passthrough so it should pass the certificate to client atleast authenticate . i might be wrong but not able to get the behavior . Thanks
