Forum Discussion
Passive FTP
I have two servers behind the F5 having ports 4021 and 4022 configured for FTP.
VIP is configured with port 21.
When i am trying to get on to the servers (port 4022) directly using FTP credentials, i am able to login and retrieve the directory.
But when i go thorugh the F5, i am able to login but not able to retrieve the directory.
I have configured the FTP profile with Data port as 0.
I see an error saying "failed to retrieve directory listing" after i am logged into server.
Can anyone suggest me, what are the configurations that have to be done on F5 in this case.
- mroark_150398Nimbostratus
I'm getting the same error did you find a resolution?
- Rick_Wiers_9833Historic F5 Account
I apologize .. I am not able to find the resolution. I will be sure to update DevCentral next time this occurs.
- Christopher_AchNimbostratus
Hi Guys
We had a similar error and it was determined to be a passive FTP bug in the TMOS code. What code are you running?
Are you sure your hitting the F5 with Passive FTP request? Are you sure you have the FTP server configured to accept passive FTP.
Chris
- mroark_150398Nimbostratus
We are running BIG-IP 11.3.0 Build 3144.0 Hotfix HF8
I have two nodes in the FTP virtual server, one of them works fine, but the other node will not accept a connection. Our Sterling Integrator admin opened up a case with IBM and they said it was the configuration on the f5 since we can connect to it directly. I think it his is the configuration on the server. I will have them verify that the server is accepting passive connection. is there a way to get traces or logs from the ftp that would give me a case to take back to the IBM guys?
- Nate_7016Historic F5 Account
Make sure that you can ftp to the non working node from the f5 command line on the port that it should be listening on. Also, in your ftp profile I would suggest a port of something other than 0 so it will be able to handle the return portion better.
- Christopher_AchNimbostratus
We support Passive and Active FTP and we have a standard FTP VIP listening on 21 with a FTP ALG profile with a "0" in it.
- Christopher_AchNimbostratus
Here is the full VIP dump from Production (partially editied)
(cfg-sync In Sync)(/S2-green-P:Active)(/Common)(tmos) list ltm virtual VIP-FTP-0.0.0.0 ltm virtual VIP-FTP-0.0.0.0 { destination any:ftp ip-protocol tcp mask any persist { source_addr_10min { default yes } } pool XXX profiles { ftp { } tcp { } } rules { } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { } vlans-enabled vs-index 59 }
Here is all properties (partially edited)
(cfg-sync In Sync)(/S2-green-P:Active)(/Common)(tmos) list ltm virtual VIP-FTP-0.0.0.0 all-properties ltm virtual VIP-FTP-0.0.0.0 { app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 description none destination any:ftp enabled fallback-persistence none gtm-score 0 ip-protocol tcp last-hop-pool none mask any metadata none mirror disabled mobile-app-tunnel disabled nat64 disabled partition Common persist { source_addr_10min { default yes } } policies none pool XXX profiles { ftp { context all } tcp { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none security-log-profiles none source 0.0.0.0/0 source-address-translation { pool none type none } source-port preserve syn-cookie-status not-activated traffic-classes none translate-address disabled translate-port disabled vlans { } vlans-enabled vs-index 59 }
Here is the FTP Profile
(cfg-sync In Sync)(/S2-green-P:Active)(/Common)(tmos) list ltm profile ftp all-properties ltm profile ftp ftp { app-service none defaults-from none description none inherit-parent-profile disabled partition Common port any security disabled translate-extended enabled }
- Christopher_AchNimbostratus
The 2 Passive FTP bugs that we encountered where as follows
- - ID398593: FTP Route pool failover does not work
- - ID399825: passive ftp will not work on a no-translate VS with a gw pool
They have been fixed in 11.2.1 HF6 by the look of it
http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13974.html
Also looks fixed in 11.3.0
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-4-0.html
- Nate_7016Historic F5 Account
The configuration looks fine from what I can see (unless you have your pool members on a port other than 21). I would try connecting from the F5 command line to the pool member via FTP and see what it does. If you aren't running a standard ftp port on the server then you will want to enable port translation on the virtual server.
As for the data port 0 vs. specifying one the data port of 0 does work and is designed for use with dynamic data channel traffic. I wasn't saying that it won't work but I was merely suggesting that if it was configured that way to try and change it. Sometimes the firewall guys modify stuff and when it comes back on a port that they don't expect then it gets blocked. This SOL has some good data about it.
https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6557.html?sr=38418318
- Christopher_AchNimbostratus
Are you able to post the config on the FTP VIP?
Do you have a TCP monitor that is enabled on the VIP and marking the both Pool members as UP? How are the Pool members configured? Are they Round Robin or least conns, or do you have a ratio or priority set?
If you have access to the command line and you understood the vlan's then you could do a TCPDUMP on the ingress and egress vlans. Do you know how the traffic is flowing?
Are you source natting the traffic of passthough?
You can also do a generic TCPDUMP but you have to be careful, is the box in production?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com