Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

PInkFloyd's avatar
PInkFloyd
Icon for Nimbostratus rankNimbostratus
Mar 23, 2021

Passive FTP using FTP profile

Hi Community,   I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd. The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for pa...
aws
big-ip
cloud
ftp
passive
profile
security
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Mar 24, 2021

I checked this further and I cannot find any difference. I checked if I missed something in my vsftpd.conf... nope.

Your VS config seems OK, too. Can you check for the destination 0.0.0.0:0 (any) and the iRule? That seems off....

In my Wireshark capture it looks like this:

vsftp server ----> floating self-IP >> ftp.passive.ip==<IP address of the vsftp server>
virtual server ----> client >> ftp.passive.ip==<IP address of the F5 virtual>

So the value for ftp.passive.ip get's updated and replaced properly.

I tried with FileZilla and WinSCP, no special config required there either. Just works.

PInkFloyd's avatar
PInkFloyd
Icon for Nimbostratus rankNimbostratus
Mar 25, 2021

you are right, Nat is done outside Big-ip at AWS level.

 

i've found an IRULE here in the forum that is used to preserve the ephemeral ports on passive FTP ( https://clouddocs.f5.com/api/irules/Passive-FTP-Preserve-Pool-Member-Ephemeral-Port.html ) and I changed it to always send the Public IP address assigned to the F5 By aws, doing this the client receives the correct IP to connect, bypassing whatever translation that ftp profile tries to make.

Anyway, it doesnt work, the client receives "227 connection to {{aws public ip. ephemeral ports}} (i've checked that the ftp server really sent those) , but the connection died there....

I'm really stuck with this, I will keep you posted if i found something, but i'm not seeing another option that contacts F5 and check if they have a workaround for this.