Passive FTP

I'm getting the same error did you find a resolution?

I apologize .. I am not able to find the resolution. I will be sure to update DevCentral next time this occurs.

Hi Guys

We had a similar error and it was determined to be a passive FTP bug in the TMOS code. What code are you running?

Are you sure your hitting the F5 with Passive FTP request? Are you sure you have the FTP server configured to accept passive FTP.

Chris

We are running BIG-IP 11.3.0 Build 3144.0 Hotfix HF8

I have two nodes in the FTP virtual server, one of them works fine, but the other node will not accept a connection. Our Sterling Integrator admin opened up a case with IBM and they said it was the configuration on the f5 since we can connect to it directly. I think it his is the configuration on the server. I will have them verify that the server is accepting passive connection. is there a way to get traces or logs from the ftp that would give me a case to take back to the IBM guys?

Make sure that you can ftp to the non working node from the f5 command line on the port that it should be listening on. Also, in your ftp profile I would suggest a port of something other than 0 so it will be able to handle the return portion better.

We support Passive and Active FTP and we have a standard FTP VIP listening on 21 with a FTP ALG profile with a "0" in it.

Here is the full VIP dump from Production (partially editied)

(cfg-sync In Sync)(/S2-green-P:Active)(/Common)(tmos) list ltm virtual VIP-FTP-0.0.0.0 ltm virtual VIP-FTP-0.0.0.0 { destination any:ftp ip-protocol tcp mask any persist { source_addr_10min { default yes } } pool XXX profiles { ftp { } tcp { } } rules { } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { } vlans-enabled vs-index 59 }

Here is all properties (partially edited)

(cfg-sync In Sync)(/S2-green-P:Active)(/Common)(tmos) list ltm virtual VIP-FTP-0.0.0.0 all-properties ltm virtual VIP-FTP-0.0.0.0 { app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 description none destination any:ftp enabled fallback-persistence none gtm-score 0 ip-protocol tcp last-hop-pool none mask any metadata none mirror disabled mobile-app-tunnel disabled nat64 disabled partition Common persist { source_addr_10min { default yes } } policies none pool XXX profiles { ftp { context all } tcp { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none security-log-profiles none source 0.0.0.0/0 source-address-translation { pool none type none } source-port preserve syn-cookie-status not-activated traffic-classes none translate-address disabled translate-port disabled vlans { } vlans-enabled vs-index 59 }

Here is the FTP Profile

(cfg-sync In Sync)(/S2-green-P:Active)(/Common)(tmos) list ltm profile ftp all-properties ltm profile ftp ftp { app-service none defaults-from none description none inherit-parent-profile disabled partition Common port any security disabled translate-extended enabled }

The 2 Passive FTP bugs that we encountered where as follows

1. - ID398593: FTP Route pool failover does not work
2. - ID399825: passive ftp will not work on a no-translate VS with a gw pool

They have been fixed in 11.2.1 HF6 by the look of it

http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13974.html

Also looks fixed in 11.3.0

http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-4-0.html

The configuration looks fine from what I can see (unless you have your pool members on a port other than 21). I would try connecting from the F5 command line to the pool member via FTP and see what it does. If you aren't running a standard ftp port on the server then you will want to enable port translation on the virtual server.

As for the data port 0 vs. specifying one the data port of 0 does work and is designed for use with dynamic data channel traffic. I wasn't saying that it won't work but I was merely suggesting that if it was configured that way to try and change it. Sometimes the firewall guys modify stuff and when it comes back on a port that they don't expect then it gets blocked. This SOL has some good data about it.

https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6557.html?sr=38418318

Are you able to post the config on the FTP VIP?

Do you have a TCP monitor that is enabled on the VIP and marking the both Pool members as UP? How are the Pool members configured? Are they Round Robin or least conns, or do you have a ratio or priority set?

If you have access to the command line and you understood the vlan's then you could do a TCPDUMP on the ingress and egress vlans. Do you know how the traffic is flowing?

Are you source natting the traffic of passthough?

You can also do a generic TCPDUMP but you have to be careful, is the box in production?