Having issues getting FTPS server load balanced

Question

We had the same issue as this link FTPS Load-balancing Problem | DevCentral (f5.com)

Then our issue was resolved using this link Configuring passthrough FTPS load balancing (f5.com)

This worked for a period of time and now our issues are back and its intermittently. Ports are not using the enforced port range on F5 and we are getting these errors below when trying to connect with FTPS port 21 and 990 going through F5. Using Move it Automation and when using winscp to connect. Any help would be greatly appreciated!

Using move it automation

Could not list directory: The connection timed-out. Response: 150 Opening ASCII mode data connection

Session history:

FTP got: XSHA1

FTP got: INTEGRITY

FTP got: HASH

FTP got: CLNT

FTP got: UTF8

FTP got: 211 End of list

FTP snt: OPTS UTF8 ON

FTP got: 200 OPTS command successful

FTP snt: SYST

FTP got: 215 Windows_NT version 5.0 (MOVEit Transfer FTP 15.1.7.116)

FTP snt: PWD

FTP got: 257 "/" is current directory

FTP snt: CWD /

FTP got: 250 CWD command successful

FTP snt: PWD

FTP got: 257 "/" is current directory

FTP snt: PASV

FTP got: 227 Entering Passive Mode (168,166,146,153,74,102)

FTP snt: LIST

FTP got: 150 Opening ASCII mode data connection

Using Winscp

. 2024-08-06 10:26:40.342 TLS connection established. Waiting for welcome message...
> 2024-08-06 10:26:40.342 USER
. 2024-08-06 10:26:40.342 Read 47 bytes
< 2024-08-06 10:26:40.342 331 Password required for
> 2024-08-06 10:26:40.342 PASS
. 2024-08-06 10:26:40.395 Read 36 bytes
< 2024-08-06 10:26:40.395 230-
. 2024-08-06 10:26:40.458 Read 133 bytes
< 2024-08-06 10:26:40.458 230-All time and date stamps displayed on this site are UTC -5, except time and date stamps recorded during standard time (UTC -6).
. 2024-08-06 10:26:40.458 Read 41 bytes
< 2024-08-06 10:26:40.458 230 User logged in.
> 2024-08-06 10:26:40.458 SYST
. 2024-08-06 10:26:40.458 Read 61 bytes
. 2024-08-06 10:26:40.458 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
. 2024-08-06 10:26:40.458 IIS detected.
< 2024-08-06 10:26:40.458 215 Windows_NT version 5.0 (MOVEit Transfer FTP 15.1.7.116)
> 2024-08-06 10:26:40.458 FEAT
. 2024-08-06 10:26:40.458 Read 27 bytes
< 2024-08-06 10:26:40.458 211-Extensions supported:
. 2024-08-06 10:26:40.511 Read 12 bytes
< 2024-08-06 10:26:40.511 AUTH SSL
. 2024-08-06 10:26:40.511 Read 14 bytes
< 2024-08-06 10:26:40.527 AUTH TLS-P
. 2024-08-06 10:26:40.527 Read 12 bytes
< 2024-08-06 10:26:40.527 AUTH TLS
. 2024-08-06 10:26:40.527 Read 14 bytes
< 2024-08-06 10:26:40.527 AUTH TLS-C
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527 PROT
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527 PBSZ
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527 SIZE
. 2024-08-06 10:26:40.527 Read 15 bytes
< 2024-08-06 10:26:40.527 REST STREAM
. 2024-08-06 10:26:40.527 Read 10 bytes
< 2024-08-06 10:26:40.527 MODE Z
. 2024-08-06 10:26:40.527 Read 9 bytes
< 2024-08-06 10:26:40.527 XSHA1
. 2024-08-06 10:26:40.527 Read 13 bytes
< 2024-08-06 10:26:40.527 INTEGRITY
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527 HASH
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527 CLNT
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527 UTF8
. 2024-08-06 10:26:40.527 Read 17 bytes
< 2024-08-06 10:26:40.527 211 End of list
> 2024-08-06 10:26:40.527 CLNT WinSCP-release-6.3.3
. 2024-08-06 10:26:40.527 Read 35 bytes
< 2024-08-06 10:26:40.527 213 "WinSCP-release-6.3.3" noted.
> 2024-08-06 10:26:40.527 OPTS UTF8 ON
. 2024-08-06 10:26:40.527 Read 29 bytes
< 2024-08-06 10:26:40.527 200 OPTS command successful
> 2024-08-06 10:26:40.527 PBSZ 0
. 2024-08-06 10:26:40.527 Read 29 bytes
< 2024-08-06 10:26:40.527 200 PBSZ command successful
> 2024-08-06 10:26:40.527 PROT P
. 2024-08-06 10:26:40.527 Read 29 bytes
< 2024-08-06 10:26:40.527 200 PROT command successful
. 2024-08-06 10:26:40.527 Session upkeep
. 2024-08-06 10:26:40.596 Connected
. 2024-08-06 10:26:40.596 Got reply 1 to the command 1
. 2024-08-06 10:26:40.596 Doing startup conversation with host.
> 2024-08-06 10:26:40.612 PWD
. 2024-08-06 10:26:40.612 Read 30 bytes
< 2024-08-06 10:26:40.612 257 "/" is current directory
. 2024-08-06 10:26:40.612 Got reply 1 to the command 16
. 2024-08-06 10:26:40.612 Changing directory to "/".
> 2024-08-06 10:26:40.612 CWD /
. 2024-08-06 10:26:40.612 Read 28 bytes
< 2024-08-06 10:26:40.612 250 CWD command successful
. 2024-08-06 10:26:40.612 Got reply 1 to the command 16
. 2024-08-06 10:26:40.612 Getting current directory name.
> 2024-08-06 10:26:40.612 PWD
. 2024-08-06 10:26:40.612 Read 30 bytes
< 2024-08-06 10:26:40.612 257 "/" is current directory
. 2024-08-06 10:26:40.612 Got reply 1 to the command 16
. 2024-08-06 10:26:40.612 Startup conversation with host finished.
. 2024-08-06 10:26:40.643 Retrieving directory listing...
> 2024-08-06 10:26:40.643 TYPE A
. 2024-08-06 10:26:40.643 Read 29 bytes
< 2024-08-06 10:26:40.643 200 TYPE command successful
> 2024-08-06 10:26:40.643 PASV
. 2024-08-06 10:26:40.643 Read 51 bytes
< 2024-08-06 10:26:40.643 227 Entering Passive Mode
. 2024-08-06 10:26:40.643 Server sent passive reply with unroutable address , using host address instead.
> 2024-08-06 10:26:40.643 LIST
. 2024-08-06 10:26:40.643 Connecting to :62368 ...
. 2024-08-06 10:26:40.643 Connection pending
. 2024-08-06 10:26:40.643 Read 40 bytes
< 2024-08-06 10:26:40.643 150 Opening ASCII mode data connection
. 2024-08-06 10:26:55.132 Timeout detected. (data connection)
. 2024-08-06 10:26:55.132 Data connection failed
. 2024-08-06 10:26:55.132 Connection closed
. 2024-08-06 10:26:55.132 Could not retrieve directory listing
. 2024-08-06 10:26:55.132 Got reply 1004 to the command 2
. 2024-08-06 10:26:55.132 Not waiting for complete TLS shutdown
* 2024-08-06 10:26:55.233 (EFatal) **Lost connection.**
* 2024-08-06 10:26:55.233 Server sent passive reply with unroutable address, using host address instead.
* 2024-08-06 10:26:55.233 Timeout detected. (data connection)
* 2024-08-06 10:26:55.233 Could not retrieve directory listing
* 2024-08-06 10:26:55.233 Error listing directory '/'.
. 2024-08-06 10:27:00.893 Connection closed

ryan_johnson · Answer

Maybe the ftp server config changed? After an upgrade? Is this a public facing ftp server? If so this message&lt; 2024-08-06 10:26:40.643 227 Entering Passive Mode (10,245,70,193,243,160). 2024-08-06 10:26:40.643 Server sent passive reply with unroutable address , using host address instead.Suggests the MoveIT server sent back an internal address (10,245,70,193,243,160 = 10.245.70.193). Can you see if its configured to send the internal address? It should be sending back the public ip or the virtual server or the dns/fqdn of the virtual.Not familiar w/ MoveIT, proftpd you can solve the problem this wayhttp://www.proftpd.org/docs/howto/NAT.htmlThis issue is also talked about herehttps://serverfault.com/questions/591704/proftpd-server-behind-firewall-returns-internal-ip-addressIf MoveIT cannot do this, you can have an iRule rewrite the ip in the payload.&nbsp;Keep in mind if clients are hitting the same instance of the ftp server not through the F5, when you change the moveit config to present another ip, they will get this new ip, which could cause new routing issues.
&nbsp;

mastro244 · Answer

Thank you for responding to us Ryan. Just a little information we are not on our f5 team. We manage the move it transfer webfarm servers. We did recently upgrade our version of move it transfer and it is public facing. We are not certain if something deep in the config files changed but nothing on the config application has changed. We have contacted our Move it support and it's not looking like we can change anything for this on our end. I have let our f5 team know they can write an iRule to rewrite the ip in the payload. But we are being told by them this would not be an option or possible being that the rule would not trigger being that the response is going to the internal address. How would this iRule be written and where would it be placed in the f5 for it to be trigged to resolve our issue. Any help you can give I will pass along to our f5 team. Really do appreciate the help.

Forum Discussion

Having issues getting FTPS server load balanced

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Get Started with WAAP Security Incidents

Coordinated Vulnerability Disclosure: A Balanced Approach

NGINXaaS for Azure: Load Balancing

Get Started With Kubernetes SIG Gateway API

Get started with F5 Distributed Cloud WAAP Scheduled Reports

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS