Forum Discussion

mastro244's avatar
mastro244
Icon for Nimbostratus rankNimbostratus
Aug 07, 2024

Having issues getting FTPS server load balanced

We had the same issue as this link FTPS Load-balancing Problem | DevCentral (f5.com)

Then our issue was resolved using this link Configuring passthrough FTPS load balancing (f5.com)

This worked for a period of time and now our issues are back and its intermittently.  Ports are not using the enforced port range on F5 and we are getting these errors below when trying to connect with FTPS port 21 and 990 going through F5. Using Move it Automation and when using winscp to connect. Any help would be greatly appreciated!

 

Using move it automation 

Could not list directory: The connection timed-out. Response: 150 Opening ASCII mode data connection

Session history:

FTP got:   XSHA1

FTP got:   INTEGRITY

FTP got:   HASH

FTP got:   CLNT

FTP got:   UTF8

FTP got: 211 End of list

FTP snt: OPTS UTF8 ON

FTP got: 200 OPTS command successful

FTP snt: SYST

FTP got: 215 Windows_NT version 5.0 (MOVEit Transfer FTP 15.1.7.116)

FTP snt: PWD

FTP got: 257 "/" is current directory

FTP snt: CWD /

FTP got: 250 CWD command successful

FTP snt: PWD

FTP got: 257 "/" is current directory

FTP snt: PASV

FTP got: 227 Entering Passive Mode (168,166,146,153,74,102)

FTP snt: LIST

FTP got: 150 Opening ASCII mode data connection

 

 

 

 

 

Using Winscp


. 2024-08-06 10:26:40.342 TLS connection established. Waiting for welcome message...
> 2024-08-06 10:26:40.342 USER 
. 2024-08-06 10:26:40.342 Read 47 bytes
< 2024-08-06 10:26:40.342 331 Password required for 
> 2024-08-06 10:26:40.342 PASS 
. 2024-08-06 10:26:40.395 Read 36 bytes
< 2024-08-06 10:26:40.395 230-
. 2024-08-06 10:26:40.458 Read 133 bytes
< 2024-08-06 10:26:40.458 230-All time and date stamps displayed on this site are UTC -5, except time and date stamps recorded during standard time (UTC -6).
. 2024-08-06 10:26:40.458 Read 41 bytes
< 2024-08-06 10:26:40.458 230 User logged in.
> 2024-08-06 10:26:40.458 SYST
. 2024-08-06 10:26:40.458 Read 61 bytes
. 2024-08-06 10:26:40.458 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
. 2024-08-06 10:26:40.458 IIS detected.
< 2024-08-06 10:26:40.458 215 Windows_NT version 5.0 (MOVEit Transfer FTP 15.1.7.116)
> 2024-08-06 10:26:40.458 FEAT
. 2024-08-06 10:26:40.458 Read 27 bytes
< 2024-08-06 10:26:40.458 211-Extensions supported:
. 2024-08-06 10:26:40.511 Read 12 bytes
< 2024-08-06 10:26:40.511   AUTH SSL
. 2024-08-06 10:26:40.511 Read 14 bytes
< 2024-08-06 10:26:40.527   AUTH TLS-P
. 2024-08-06 10:26:40.527 Read 12 bytes
< 2024-08-06 10:26:40.527   AUTH TLS
. 2024-08-06 10:26:40.527 Read 14 bytes
< 2024-08-06 10:26:40.527   AUTH TLS-C
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527   PROT
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527   PBSZ
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527   SIZE
. 2024-08-06 10:26:40.527 Read 15 bytes
< 2024-08-06 10:26:40.527   REST STREAM
. 2024-08-06 10:26:40.527 Read 10 bytes
< 2024-08-06 10:26:40.527   MODE Z
. 2024-08-06 10:26:40.527 Read 9 bytes
< 2024-08-06 10:26:40.527   XSHA1
. 2024-08-06 10:26:40.527 Read 13 bytes
< 2024-08-06 10:26:40.527   INTEGRITY
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527   HASH
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527   CLNT
. 2024-08-06 10:26:40.527 Read 8 bytes
< 2024-08-06 10:26:40.527   UTF8
. 2024-08-06 10:26:40.527 Read 17 bytes
< 2024-08-06 10:26:40.527 211 End of list
> 2024-08-06 10:26:40.527 CLNT WinSCP-release-6.3.3
. 2024-08-06 10:26:40.527 Read 35 bytes
< 2024-08-06 10:26:40.527 213 "WinSCP-release-6.3.3" noted.
> 2024-08-06 10:26:40.527 OPTS UTF8 ON
. 2024-08-06 10:26:40.527 Read 29 bytes
< 2024-08-06 10:26:40.527 200 OPTS command successful
> 2024-08-06 10:26:40.527 PBSZ 0
. 2024-08-06 10:26:40.527 Read 29 bytes
< 2024-08-06 10:26:40.527 200 PBSZ command successful
> 2024-08-06 10:26:40.527 PROT P
. 2024-08-06 10:26:40.527 Read 29 bytes
< 2024-08-06 10:26:40.527 200 PROT command successful
. 2024-08-06 10:26:40.527 Session upkeep
. 2024-08-06 10:26:40.596 Connected
. 2024-08-06 10:26:40.596 Got reply 1 to the command 1
. 2024-08-06 10:26:40.596 Doing startup conversation with host.
> 2024-08-06 10:26:40.612 PWD
. 2024-08-06 10:26:40.612 Read 30 bytes
< 2024-08-06 10:26:40.612 257 "/" is current directory
. 2024-08-06 10:26:40.612 Got reply 1 to the command 16
. 2024-08-06 10:26:40.612 Changing directory to "/".
> 2024-08-06 10:26:40.612 CWD /
. 2024-08-06 10:26:40.612 Read 28 bytes
< 2024-08-06 10:26:40.612 250 CWD command successful
. 2024-08-06 10:26:40.612 Got reply 1 to the command 16
. 2024-08-06 10:26:40.612 Getting current directory name.
> 2024-08-06 10:26:40.612 PWD
. 2024-08-06 10:26:40.612 Read 30 bytes
< 2024-08-06 10:26:40.612 257 "/" is current directory
. 2024-08-06 10:26:40.612 Got reply 1 to the command 16
. 2024-08-06 10:26:40.612 Startup conversation with host finished.
. 2024-08-06 10:26:40.643 Retrieving directory listing...
> 2024-08-06 10:26:40.643 TYPE A
. 2024-08-06 10:26:40.643 Read 29 bytes
< 2024-08-06 10:26:40.643 200 TYPE command successful
> 2024-08-06 10:26:40.643 PASV
. 2024-08-06 10:26:40.643 Read 51 bytes
< 2024-08-06 10:26:40.643 227 Entering Passive Mode
. 2024-08-06 10:26:40.643 Server sent passive reply with unroutable address , using host address instead.
> 2024-08-06 10:26:40.643 LIST
. 2024-08-06 10:26:40.643 Connecting to :62368 ...
. 2024-08-06 10:26:40.643 Connection pending
. 2024-08-06 10:26:40.643 Read 40 bytes
< 2024-08-06 10:26:40.643 150 Opening ASCII mode data connection
. 2024-08-06 10:26:55.132 Timeout detected. (data connection)
. 2024-08-06 10:26:55.132 Data connection failed
. 2024-08-06 10:26:55.132 Connection closed
. 2024-08-06 10:26:55.132 Could not retrieve directory listing
. 2024-08-06 10:26:55.132 Got reply 1004 to the command 2
. 2024-08-06 10:26:55.132 Not waiting for complete TLS shutdown
* 2024-08-06 10:26:55.233 (EFatal) **Lost connection.**
* 2024-08-06 10:26:55.233 Server sent passive reply with unroutable address, using host address instead.
* 2024-08-06 10:26:55.233 Timeout detected. (data connection)
* 2024-08-06 10:26:55.233 Could not retrieve directory listing
* 2024-08-06 10:26:55.233 Error listing directory '/'.
. 2024-08-06 10:27:00.893 Connection closed

  • Maybe the ftp server config changed? After an upgrade? Is this a public facing ftp server? If so this message

    < 2024-08-06 10:26:40.643 227 Entering Passive Mode (10,245,70,193,243,160)
    . 2024-08-06 10:26:40.643 Server sent passive reply with unroutable address , using host address instead.

    Suggests the MoveIT server sent back an internal address (10,245,70,193,243,160 = 10.245.70.193). Can you see if its configured to send the internal address? It should be sending back the public ip or the virtual server or the dns/fqdn of the virtual.

    Not familiar w/ MoveIT, proftpd you can solve the problem this way
    http://www.proftpd.org/docs/howto/NAT.html

    This issue is also talked about here
    https://serverfault.com/questions/591704/proftpd-server-behind-firewall-returns-internal-ip-address

    If MoveIT cannot do this, you can have an iRule rewrite the ip in the payload. 

    Keep in mind if clients are hitting the same instance of the ftp server not through the F5, when you change the moveit config to present another ip, they will get this new ip, which could cause new routing issues.


     

    • mastro244's avatar
      mastro244
      Icon for Nimbostratus rankNimbostratus

      Thank you for responding to us Ryan. Just a little information we are not on our f5 team. We manage the move it transfer webfarm servers. We did recently upgrade our version of move it transfer and it is public facing. We are not certain if something deep in the config files changed but nothing on the config application has changed. We have contacted our Move it support and it's not looking like we can change anything for this on our end. I have let our f5 team know they can write an iRule to rewrite the ip in the payload. But we are being told by them this would not be an option or possible being that the rule would not trigger being that the response is going to the internal address. How would this iRule be written and where would it be placed in the f5 for it to be trigged to resolve our issue. Any help you can give I will pass along to our f5 team. Really do appreciate the help.