Passive FTP over Load Balancer

Posted on 2009-05-12
Last Modified: 2014-01-05
Dear colleagues,

I'm running two Windows Server 2003 machines behing a Foundry Load Balancer. I'm running FTP on those babies and I want Passive FTP to work via load balancer.

The thing works fine for several hours. I'm able to send thousand of files to the servers, via load balanced IP. However, every once in a while, I get a the following error message on my application: "Can't connect to server specified PASV port {PORT NUMBER, eg. 50419}. There is probably a firewall blocking this port". But, when I use the non-balanced IP, I don't get that message at all. So, indeed, the problem does not seem to be on the firewall, but on the load balancer.

Here is what I think: since the load balancer, in theory, "pushes" the traffic to the least used server, there may be times in which it "switches" the server it is pointing to, while the actual FTP connection is opened on the other one. That is why the problem occurs: it opens a connection on server 1, but when the actual file transfer starts, it tries to send it to server 2 (which does not have the expected FTP port opened). That is possibly why I have those random FTP issues sometimes. I do think this makes sense.

I talked about this with my network admin and he configured the load balancer for port 21 for sticky and concurrent ON. Since I'm working with passive FTP, port 20 should not be a problem... Anyway, sticky and concurrent are ON for port 20 as well.

However, even after this, the problem remains just the same.

Do you guys think we are doing something wrong? Should we make any other port sticky or concurrent?

This is quite urgent and I thank you for your attention and helpful support.

Best regards,

Helder Conde
Question by:HelderConde
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 57

Expert Comment

ID: 24373631
Your theory is most likely correct.  The foundry device SHOULD be able to be configured so that the data connection always goes back to the same server that the command/control session is on, that is sticky sessions.

If you are not using active ftp, then doing anything with port 20 will just be a waste of time.

The foundry device should be able to snoop the command/control session and know to keep the session sticky.

Now, what you could try and do is setup the ftp server to use a specific range of ports for the data connection and make those sticky.

Author Comment

ID: 24374555
Thanks for your response. I had thought of doing what you suggested: "setup the ftp server to use a specific range of ports for the data connection and make those sticky".

I just didn't do it because I need a large number of ports opened. Actually, I've used the procedure described in to open my ports up to 65534 (instead of the default 1024-5000 range).

Do you think this would be a problem? I don't necessarily need all those ports opened. But my concern is: will it pose any "stress" on the firewall to handle all those ports?

Please let me know what you think.

Best regards,

Helder Conde

This means that I'd need
LVL 57

Expert Comment

ID: 24375844
O.K, the KB increases the number of concurrent open ports that can be used when a IP application asks to open a "high port".   Now, "open" includes ports in TIME_WAIT status.  

It does not affect how many concurrent ports can be open if an IP application asks to open a specific port.

What I am talking about is to go into the FTP server and specify an exact range of ports that it uses for passive data connections.  Which will cause the ftp server to ask to open specific ports.
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Author Comment

ID: 24375935
This is the one you're talking about, right?

Yes, I can try that one. That leads me to 2 questions:

1. How many ports do you believe I should left open on IIS for that? I believe IIS defaults at 65535.
2. What should I do on the LB to allow specifically the definited range?


Helder Conde
LVL 57

Accepted Solution

giltjr earned 500 total points
ID: 24377078
Yes, that is what I am talking about.

How many concurrent ftp sessions do you plan on having?  I would specify 20-30% more than that.  So if you plan to have 200 concurrent ftp sessions, then specify a port range than that has 240-260 ports.

I have never used a foundry LB, but I would think that you don't need to do anything other than setting up that port range as being sticky.

Author Comment

ID: 24377645

Thanks for your response. I'll go ahead and try that one.

I'll let you know about the results.

Best regards,

Helder Conde

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
Determining the an SCCM package name from the Package ID
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question