FTPS Offload via iRules
Question: Does BIG-IP LTM support FTPS?
Answer: You might think to yourself "LTM can load balance any IP traffic, so sure!". But if you know FTPS, you know that, like FTP, things are a lot more co...
Published Mar 04, 2009
Version 1.0
Karim
Cirrostratus
CirrostratusHello guys,
I'm having a problem implementing the FTPS offload. The problem I have regards the data channel (the third virtual server). The controle Channel is working perfectly. Bellow is the issue :
When the client oppens the data channel, I see the SSL handshake done on the client-side. right after, in the server side , I see that the server send the full response listing the "/" directory. The server also logs ' Successfully transferred "/" '. after that, on the client side, I see in the ftp client log :
Response: 150 Opening data channel for directory listing of "/"
Response: 226 Successfully transferred "/"
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
Error: Disconnected from server e
The only issue seems to be related with the way the bigip closes the ssl connection.
I then took two pcaps, one going through the Bigip (non-working senario) and another pcap where the connection goes directly 'client'<->'ftps server' (working senario) and I have noticed the following difference :
In the working senario, the server sends a SSL packet "Encrypted Alert" right before sending the [FIN-ACK]. The client then sends the same SSL packet "Ecrypted Alert" back to the server and closes the TCP connection.
On the other hand, in the non-working senario, the Bigip directly close the TCP connection and does not send the SSL packet "Encrypted Alert".
Do you have any idea of how I could resolve this issue ?
many thanks,