Solved

Passive FTP over Load Balancer

Posted on 2009-05-12
6
405 Views
Last Modified: 2014-01-05
Dear colleagues,

I'm running two Windows Server 2003 machines behing a Foundry Load Balancer. I'm running FTP on those babies and I want Passive FTP to work via load balancer.

The thing works fine for several hours. I'm able to send thousand of files to the servers, via load balanced IP. However, every once in a while, I get a the following error message on my application: "Can't connect to server specified PASV port {PORT NUMBER, eg. 50419}. There is probably a firewall blocking this port". But, when I use the non-balanced IP, I don't get that message at all. So, indeed, the problem does not seem to be on the firewall, but on the load balancer.

Here is what I think: since the load balancer, in theory, "pushes" the traffic to the least used server, there may be times in which it "switches" the server it is pointing to, while the actual FTP connection is opened on the other one. That is why the problem occurs: it opens a connection on server 1, but when the actual file transfer starts, it tries to send it to server 2 (which does not have the expected FTP port opened). That is possibly why I have those random FTP issues sometimes. I do think this makes sense.

I talked about this with my network admin and he configured the load balancer for port 21 for sticky and concurrent ON. Since I'm working with passive FTP, port 20 should not be a problem... Anyway, sticky and concurrent are ON for port 20 as well.

However, even after this, the problem remains just the same.

Do you guys think we are doing something wrong? Should we make any other port sticky or concurrent?

This is quite urgent and I thank you for your attention and helpful support.

Best regards,

Helder Conde
0
Comment
Question by:HelderConde
  • 3
  • 3
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24373631
Your theory is most likely correct.  The foundry device SHOULD be able to be configured so that the data connection always goes back to the same server that the command/control session is on, that is sticky sessions.

If you are not using active ftp, then doing anything with port 20 will just be a waste of time.

The foundry device should be able to snoop the command/control session and know to keep the session sticky.

Now, what you could try and do is setup the ftp server to use a specific range of ports for the data connection and make those sticky.
0
 

Author Comment

by:HelderConde
ID: 24374555
Thanks for your response. I had thought of doing what you suggested: "setup the ftp server to use a specific range of ports for the data connection and make those sticky".

I just didn't do it because I need a large number of ports opened. Actually, I've used the procedure described in http://support.microsoft.com/kb/196271 to open my ports up to 65534 (instead of the default 1024-5000 range).

Do you think this would be a problem? I don't necessarily need all those ports opened. But my concern is: will it pose any "stress" on the firewall to handle all those ports?

Please let me know what you think.

Best regards,

Helder Conde

This means that I'd need
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24375844
O.K, the KB increases the number of concurrent open ports that can be used when a IP application asks to open a "high port".   Now, "open" includes ports in TIME_WAIT status.  

It does not affect how many concurrent ports can be open if an IP application asks to open a specific port.

What I am talking about is to go into the FTP server and specify an exact range of ports that it uses for passive data connections.  Which will cause the ftp server to ask to open specific ports.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:HelderConde
ID: 24375935
This is the one you're talking about, right?
http://support.microsoft.com/kb/555022/en-us

Yes, I can try that one. That leads me to 2 questions:

1. How many ports do you believe I should left open on IIS for that? I believe IIS defaults at 65535.
2. What should I do on the LB to allow specifically the definited range?

Thanks,

Helder Conde
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 24377078
Yes, that is what I am talking about.

How many concurrent ftp sessions do you plan on having?  I would specify 20-30% more than that.  So if you plan to have 200 concurrent ftp sessions, then specify a port range than that has 240-260 ports.

I have never used a foundry LB, but I would think that you don't need to do anything other than setting up that port range as being sticky.
0
 

Author Comment

by:HelderConde
ID: 24377645
giltjr,

Thanks for your response. I'll go ahead and try that one.

I'll let you know about the results.

Best regards,

Helder Conde
0

Featured Post

Google Storage: Standard vs. Nearline vs. Coldline

Google Cloud Storage has a number of classes to choose from. Although there are a lot in common, they vary in price and usage terms. This post explains Google Cloud Storage classes and helps to understand which  one to choose.

Join & Write a Comment

I know for anybody starting from Beginner to Expert in Networking knows what OSI model. But this tutorial is for freshers or those who are new to networking world. Why I am putting OSI in such simple and compact manner is because it enables you to k…
Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now