Solved

Passive FTP over Load Balancer

Posted on 2009-05-12
6
408 Views
Last Modified: 2014-01-05
Dear colleagues,

I'm running two Windows Server 2003 machines behing a Foundry Load Balancer. I'm running FTP on those babies and I want Passive FTP to work via load balancer.

The thing works fine for several hours. I'm able to send thousand of files to the servers, via load balanced IP. However, every once in a while, I get a the following error message on my application: "Can't connect to server specified PASV port {PORT NUMBER, eg. 50419}. There is probably a firewall blocking this port". But, when I use the non-balanced IP, I don't get that message at all. So, indeed, the problem does not seem to be on the firewall, but on the load balancer.

Here is what I think: since the load balancer, in theory, "pushes" the traffic to the least used server, there may be times in which it "switches" the server it is pointing to, while the actual FTP connection is opened on the other one. That is why the problem occurs: it opens a connection on server 1, but when the actual file transfer starts, it tries to send it to server 2 (which does not have the expected FTP port opened). That is possibly why I have those random FTP issues sometimes. I do think this makes sense.

I talked about this with my network admin and he configured the load balancer for port 21 for sticky and concurrent ON. Since I'm working with passive FTP, port 20 should not be a problem... Anyway, sticky and concurrent are ON for port 20 as well.

However, even after this, the problem remains just the same.

Do you guys think we are doing something wrong? Should we make any other port sticky or concurrent?

This is quite urgent and I thank you for your attention and helpful support.

Best regards,

Helder Conde
0
Comment
Question by:HelderConde
  • 3
  • 3
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24373631
Your theory is most likely correct.  The foundry device SHOULD be able to be configured so that the data connection always goes back to the same server that the command/control session is on, that is sticky sessions.

If you are not using active ftp, then doing anything with port 20 will just be a waste of time.

The foundry device should be able to snoop the command/control session and know to keep the session sticky.

Now, what you could try and do is setup the ftp server to use a specific range of ports for the data connection and make those sticky.
0
 

Author Comment

by:HelderConde
ID: 24374555
Thanks for your response. I had thought of doing what you suggested: "setup the ftp server to use a specific range of ports for the data connection and make those sticky".

I just didn't do it because I need a large number of ports opened. Actually, I've used the procedure described in http://support.microsoft.com/kb/196271 to open my ports up to 65534 (instead of the default 1024-5000 range).

Do you think this would be a problem? I don't necessarily need all those ports opened. But my concern is: will it pose any "stress" on the firewall to handle all those ports?

Please let me know what you think.

Best regards,

Helder Conde

This means that I'd need
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24375844
O.K, the KB increases the number of concurrent open ports that can be used when a IP application asks to open a "high port".   Now, "open" includes ports in TIME_WAIT status.  

It does not affect how many concurrent ports can be open if an IP application asks to open a specific port.

What I am talking about is to go into the FTP server and specify an exact range of ports that it uses for passive data connections.  Which will cause the ftp server to ask to open specific ports.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:HelderConde
ID: 24375935
This is the one you're talking about, right?
http://support.microsoft.com/kb/555022/en-us

Yes, I can try that one. That leads me to 2 questions:

1. How many ports do you believe I should left open on IIS for that? I believe IIS defaults at 65535.
2. What should I do on the LB to allow specifically the definited range?

Thanks,

Helder Conde
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 24377078
Yes, that is what I am talking about.

How many concurrent ftp sessions do you plan on having?  I would specify 20-30% more than that.  So if you plan to have 200 concurrent ftp sessions, then specify a port range than that has 240-260 ports.

I have never used a foundry LB, but I would think that you don't need to do anything other than setting up that port range as being sticky.
0
 

Author Comment

by:HelderConde
ID: 24377645
giltjr,

Thanks for your response. I'll go ahead and try that one.

I'll let you know about the results.

Best regards,

Helder Conde
0

Featured Post

Will my email signature work in Office 365?

You've built an email signature using raw HTML code in Office 365, but you can't review how it looks with Transport Rules. So you have to test it over and over again before it can be used. Isn't this a bit of a waste of your time? Wouldn't a WYSIWYG editor make it a lot easier?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now