Forum Discussion
Passive FTP using FTP profile
Did you add the iRule from my example too?
Do you really have destination address set to any?
I would compare my lab config again later today, to see if I did any further "magic" on the vsftp, or maybe I have a setting in my FTP Client that is important... I set that up 3 years ago and never touched it ever since, except of installing Linux updates.
- Daniel_WolfMar 24, 2021MVP
I checked this further and I cannot find any difference. I checked if I missed something in my vsftpd.conf... nope.
Your VS config seems OK, too. Can you check for the destination 0.0.0.0:0 (any) and the iRule? That seems off....
In my Wireshark capture it looks like this:
vsftp server ----> floating self-IP >> ftp.passive.ip==<IP address of the vsftp server> virtual server ----> client >> ftp.passive.ip==<IP address of the F5 virtual>
So the value for ftp.passive.ip get's updated and replaced properly.
I tried with FileZilla and WinSCP, no special config required there either. Just works.
- PInkFloydMar 25, 2021Nimbostratus
Yes I added your Irule.
Are you using a single interface ?? are you ftp setup residing on AWS ? Because my test lab includes a single interface on the F5 with a EIP(AWS) attached.
so, I realized that the FTP profile is just translating the IP address configured as pasv_address on the ftp server to the address configured on the vip as "destination address" only when ( no pasv_address is configured in the ftp, configured pointing public ip of ftp server or if its configured using private IP address), but if pasv_address is manually configured to be the Public ip address of the F5, nothing is translated and the client received
421 Service not available, remote server has closed connection Passive mode refused.
but, if I leave the ftp server pasv_address option pointing to the Public ip address of the F5 , remove the ftp profile on the VIP and change service port to "all ports" works perfectly.
so, seems to me (maybe i'm completely wrong) that the ftp profile is unable to translate the received pasv_address (no matter is received) to the Public IP that the F5 has assigned for AWS( EIP)
make sense?
- Daniel_WolfMar 25, 2021MVP
D'oh! My head just crashed on my desk. I missed the obvious because I didn't pay attention to the specifics of AWS. Yes... totally makes sense.
I am not even sure if having a second interface would help solve the issue, because the virtual IP is always a private IP address. The NAT is done outside the BIG-IP, in AWS, as far as I know. The whatever address the ftp profile would add ? replace, it would not be the public IP.
Also I don't see a way to work around this with an iRule.
- PInkFloydMar 25, 2021Nimbostratus
you are right, Nat is done outside Big-ip at AWS level.
i've found an IRULE here in the forum that is used to preserve the ephemeral ports on passive FTP ( https://clouddocs.f5.com/api/irules/Passive-FTP-Preserve-Pool-Member-Ephemeral-Port.html ) and I changed it to always send the Public IP address assigned to the F5 By aws, doing this the client receives the correct IP to connect, bypassing whatever translation that ftp profile tries to make.
Anyway, it doesnt work, the client receives "227 connection to {{aws public ip. ephemeral ports}} (i've checked that the ftp server really sent those) , but the connection died there....
I'm really stuck with this, I will keep you posted if i found something, but i'm not seeing another option that contacts F5 and check if they have a workaround for this.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com