Solved

Unable to FTP

Posted on 2008-09-29
15
1,628 Views
Last Modified: 2008-09-30
We implement an active/passive F5 BigIP last weekend for 2 webservers, since then a daily FTP Job on the webserver to offload the log files has failed, nothing else has changed in the environment, same firewall, same servers, these were previously connected to Kemp LB's (through the kemps it worked fine) and we replaced the Kemp with F5's. The firmware version is 4.2.10 these are no longer supported via F5.

Thanks in advance,
Bob Smith
0
Comment
Question by:bobs6140
  • 7
  • 6
  • 2
15 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 22598445
Are the web servers the FTP clients, or the ftp servers?

If the web servers are the ftp servers, I am assuming then the clients must go through the F5 to get to to webservers.  How is the F5 configured to allow this?
0
 

Author Comment

by:bobs6140
ID: 22598467
Sorry, they are client, use command line MS FTP to send files out bound.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22598490
Is the F5 the web servers default gateway or is the Firewall?  In your setup, is it possible to set the "outside/Internet" Firewall as their default gateway and use SNAT on the F5 so web traffic to the web servers returns through the F5 but all other outbound traffic doesn't (unless you want it to)...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:bobs6140
ID: 22598546
Yes the F5 is the default gate for the web servers, we have NAT setup, had issue with SNAT, client wants to keep the NAT, (comment: probably why I had issue with SNAT - I was using the F5 as the gate  - no the FW - is this the normal config using SNAT) so we have to keep the NAT.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22598672
I personally like having outbound traffic that the F5 doesn't need to see go straight out the Firewall myself and use SNAT to return the inbound web traffic to the F5.  If you want the F5 to be the gateway, you need to make sure you have a virtual server for the outbound traffic.
0
 

Author Comment

by:bobs6140
ID: 22598707
Ok I have virtual servers setup for the web servers (port 80 http) but not for FTP, so I should setup a virtual server for FTP. Thank you very much.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22598769
Or an all encompassing VS for all outbound traffic (all ports).
0
 

Author Comment

by:bobs6140
ID: 22598891
Not sure how to do that, the drop down for the pool only list like ftp https etc no all
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22598908
I would follow JFrederick29 suggestion of a single VS for all outbound traffic that you route/send through the F5.

The only time I would use a VS for ftp is if I was going to have inbound FTP.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22599026
I believe you can do a Layer3 or IP Forwarding rule so it simply routes traffic...
0
 

Author Comment

by:bobs6140
ID: 22599060
Going to do some testing, will be back shortly. TYVM
0
 

Author Comment

by:bobs6140
ID: 22601946
Created a VS and still  I am able to login to FTP but as soon as issue a command it disconnects, on the FW allow all out bound is set, on LB not sure how to set that. F5 has a number reports about this but unable to find any info on how to fix. Will do more testing.

Thanks again for the response,
Bob Smith
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22604346
Try doing passive FTP.
0
 

Author Comment

by:bobs6140
ID: 22604372
I did try before this last change will try again, after I connect I switch to passive and the same, it disconnects, I will test again this morning. Do you know of a passive command line client I can use on windows 2003.

Thank you again,
Bob Smith
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22604439
Not sure about a command line client.  You can use Internet Explorer just for testing to see if it is an active/passive issue.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now