passive
4 TopicsPassive FTP using FTP profile
Hi Community, I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd. The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for passive ftp. This scenario is running perfectly without an FTP profile, just a tcp profile (all ports) and the option pasv_address on the ftp server pointing to the public IP address of the F5. But I need to have this working with the FTP profile in order to implement extra security for FTP on the F5. I've tried to implement FTP passive load balancing using official documentations like (https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/load-balancing-passive-mode-ftp-traffic.html ) , but no matter what combination or configuration is implemented on the F5 & the ftp server, if I have the ftp profile the message ("passive mode refused") is always received after request PASV and only works if I use this for internal passive ftp, meaning that I not configure a "pasv_address" on the ftp server, and the client that request the connection is in the same Lan than the F5 & ftp server, resolving everything internally. As a said, i've tried a lot of combinations and settings on the F5 and ftp servers, but nothing works. Could someone give me a little of guidance here? Thanks in advance.2.4KViews0likes9CommentsProblem FTPS passive
Hello Everyone, For one of our customer, we have to deploy a FTPS server behind the F5. Here is my configuration of the VS : And here is my problem, The FTP behind the F5 is working great, I can connect to it and transfer a file with success. But where I have a problem is when the server has TLS turned on. First I tried to manage the certificate with the F5 (TLS is off on FTP server) so I created a SSL client profiles but it's not working : And when TLS is turned on onto the server but the certificate is not managed by the F5 here is the error message i have: I connect with a real account. 1/Do you think it's a F5 conf problem of a FTP/Certificate problem : Someone already had this kind of problem and how did he manage to resolve it? 2/Do I need to create a irules to limit the range of port to connect? Thanks in advance.Solved700Views0likes5CommentsSetting Cookie, and subsequently loadbalancing using the cookie!
Hello! I have seen around and tried to find something similar but havent found much. The requirement is as follows and needed some help with it. Client connects to VIP initially, it will not have any cookie info- this needs to go to pool 1. pool1 contains same nodes of pool2 and pool 3, so basically pool 1 = pool 2+pool 3 if LB selects node from pool1 that belongs to pool2 as well - set cookie "TC" (big ip should do cookie insert) if LB selects node from pool1 that belongs to pool3 as well- set cookie "DY"(big ip should only send back the cookie set by server ie big ip is passive) Any subsequent requests from client with these cookies(TC,DY) willl go to pool 2, pool3 respectively. below is what i have tried so far, but do not know how to create a hash for the server IP and port and add it to irule while inserting cookie. I know something significatnt is missing, any pointers will be helpful. #https://clouddocs.f5.com/api/irules/LB__select.html #https://devcentral.f5.com/s/question/0D51T00006i7YuC/getting-cookie-value-and-using-switch #https://clouddocs.f5.com/api/irules/HTTP__cookie.html when HTTP_REQUEST { #log cookies of client in request log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] request to [HTTP::host][HTTP::uri]" foreach cookie [HTTP::cookie names] { log local0. "[IP::client_addr]:[TCP::client_port]: Cookie $cookie = [HTTP::cookie value $cookie]" if {not ([HTTP::cookie exists "TCS"] or[HTTP::cookie exists "DY"]) } pool pool1 set bool 1 log local0."Pool assigned bool :$bool" } elseif{ if{([HTTP::cookie exists "TC"])} { pool pool2 } else{ if{([HTTP::cookie exists "DY"])} { pool pool3 } } } when HTTP_RESPONSE { if {bool ==1 and ([LB::server addr]==10.45. or 10.45.)} { #Cookie insert method BigIP needs to actively insert cookie {HTTP::cookie insert name "TC" value "TC"} } else { #Passive cookie by BigIP as server will set to cookie for DY {HTTP::cookie insert name "DY" value "DY"} } }422Views0likes0CommentsFTP and one leg setup - why not working
Hi, I tried to do setup like that: VS in 192.168.1.1/24 network with IP 192.168.1.100 SNAT assigned 192.168.1.200 FTP server IP 192.168.1.110 Flow is then: C -> 192.168.1.100:21 <-> 192.168.1.200:high_port -> 192.168.1.110:21 Client connecting either passive or active is always refused, based on trace: Passive - client attempt to connect to VS 192.168.1.100: to create data connection - VS is almost immediately sending RST to SYN packet. Backend server is reporting 425 Can't open data connection for transfer of "/" Active - as soon as backend server tries to create connection from port 20 to port passed by BIG-IP in PORT command BIG-IP is not responding to SYN, after 2 repeated SYN BIG-IP is sending RST-ACK, and backend server is again sending 425 Can't open data connection for transfer of "/" over control connection Same VS when accessed from another VLAN is working without issue in both Passive and Active mode. Tested on both v11.2.0HF7 and 13.0.0HF2. Am I missing something important that prevents FTP in one leg configuration? Piotr319Views0likes0Comments