cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Seting up a balanced FTP pool with bypassed data traffic

Alejandroid_114
Nimbostratus
Nimbostratus

 

Hi,

 

 

We at the company are struggling to setup a load-balanced FTP service where the FTP data channel should, if possible, bypass the load balancer.

 

So far we have tried various different configurations, but without reaching the goal, hence this request for your support.

 

 

First some background on the applications and network layout;

 

 

We have one node which is recording live video multicast streams off the network, hereafter this node is referred to as the WTV node.

 

We have 4 FTP server nodes, hereafter named FTP01, FTP02, FTP03 and

 

FTP04 or "FTP servers/FTP nodes/FTP service" collectively.

 

We have an BIG-IP 4200 running BIG-IP 11.2.1 Build 807.0 Hotfix HF1.

 

Note that the WTV node and the FTP servers are all on the same subnet/vlan.

 

 

The overall target is, using the BIG-IP, to balance the FTP sessions from WTV across the 4 FTP servers. In addition, we want the data channel of FTP to bypass the BIG-IP to optimize throughput and lower the load on the BIG-IP.

 

 

For each multicast stream that the WTV node is recording, it is setting up an active FTP session (acting as FTP client) towards the FTP server.

 

Since the multicast streams "starts and stops" as per a regular broadcast TV schedule and each stream represents 1 TV channel, it is common that several FTP sessions are setup in parallel at the same point in time, i.e. when a new program starts on several channels at the same timestamp.

 

 

So far we have experimented with the following main steps;

 

- Configured a pool with the FTP servers.

 

- Configured nPath Routing using the document at http://www.f5.com/pdf/deployment-guides/npath-iapp-dg.pdf

 

- Configured an additional loopback interface on each of the FTP servers with the same IP address as the virtual server VIP. Also described here:

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-2-1/6.html?sr=26599217

 

 

Having done the above, we have done some tests from another client (also on the same vlan), and the FTP service seems to work but with one main issue; when opening several connections from the same client at about the same time (as would be the case with the real WTV node), all connections end up on the same FTP server, i.e. the load is not balanced.

 

 

We were guessing this was because the arp table was populated after the first connection, and for the other sessions that were setup in about the same timeframe, the arp table resolved to the same FTP server MAC.

 

Hence we tried applying the following steps:

 

- Disabling arp responses being sent by the FTP servers through the following commands (on Red Hat EL) executed on the pool members; arptables -A IN -d -j DROP arptables -A OUT -s -j mangle --mangle-ip-s service arptables_jf save; chkconfig --level 2345 arptables_jf on service arptables_jf restart

 

 

However, after this the data channel cannot be established. The FTP control channel (port 21) is still working, but when the data channel is being established we observed the following;

 

a) FTP server is sending a SYN from the data port (20) towards the client, bypassing the BIG-IP, to open the data channel.

 

b) Client receives the SYN packet and responds with a SYN,ACK.

 

c) The SYN,ACK arrives at the BIG-IP, which however does not forward it to the pool member but instead responds with a RST, effectively halting the data channel establishment.

 

 

Currently this testing is done in a controlled and limited lab environment. Once the proper configuration has been established, it will be replicated in a production environment.

 

 

We have been unable to find a description on how to use npath (to bypass the BIG-IP for the FTP data channel) together with FTP, especially when the client and servers are on the same subnet. Should also be noted that we have broad IT/IP competence but are not IP network engineers so we might have missed something fundamental. We also have limited experience working with BIG-IP, so if you require further information from the device, please send detailed instructions or references to documentation.

 

 

At your disposal for any further clarifications,

 

 

Any help will be preciated...

 

 

Best regards!

 

 

Alejandro.

 

1 REPLY 1

What_Lies_Bene1
Cirrostratus
Cirrostratus
Complicated! Four things may help you here;

 

 

1) Configure a routing VS on the device to handle the data traffic (it's RST because the F5 drops anything not handled by a VS or NAT/SNAT)

 

2) Enable asynchronous 'routing' by disabling 'VLAN Keyed Connections'

 

3) Is the FTP profile of no use?

 

4) Could you use an iRule to rewrite addresses in the initial data channel setup so client and server 'talk' directly?