Passive FTP over Load Balancer

Posted on 2009-05-12
Last Modified: 2014-01-05
Dear colleagues,

I'm running two Windows Server 2003 machines behing a Foundry Load Balancer. I'm running FTP on those babies and I want Passive FTP to work via load balancer.

The thing works fine for several hours. I'm able to send thousand of files to the servers, via load balanced IP. However, every once in a while, I get a the following error message on my application: "Can't connect to server specified PASV port {PORT NUMBER, eg. 50419}. There is probably a firewall blocking this port". But, when I use the non-balanced IP, I don't get that message at all. So, indeed, the problem does not seem to be on the firewall, but on the load balancer.

Here is what I think: since the load balancer, in theory, "pushes" the traffic to the least used server, there may be times in which it "switches" the server it is pointing to, while the actual FTP connection is opened on the other one. That is why the problem occurs: it opens a connection on server 1, but when the actual file transfer starts, it tries to send it to server 2 (which does not have the expected FTP port opened). That is possibly why I have those random FTP issues sometimes. I do think this makes sense.

I talked about this with my network admin and he configured the load balancer for port 21 for sticky and concurrent ON. Since I'm working with passive FTP, port 20 should not be a problem... Anyway, sticky and concurrent are ON for port 20 as well.

However, even after this, the problem remains just the same.

Do you guys think we are doing something wrong? Should we make any other port sticky or concurrent?

This is quite urgent and I thank you for your attention and helpful support.

Best regards,

Helder Conde
Question by:HelderConde
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 57

Expert Comment

ID: 24373631
Your theory is most likely correct.  The foundry device SHOULD be able to be configured so that the data connection always goes back to the same server that the command/control session is on, that is sticky sessions.

If you are not using active ftp, then doing anything with port 20 will just be a waste of time.

The foundry device should be able to snoop the command/control session and know to keep the session sticky.

Now, what you could try and do is setup the ftp server to use a specific range of ports for the data connection and make those sticky.

Author Comment

ID: 24374555
Thanks for your response. I had thought of doing what you suggested: "setup the ftp server to use a specific range of ports for the data connection and make those sticky".

I just didn't do it because I need a large number of ports opened. Actually, I've used the procedure described in to open my ports up to 65534 (instead of the default 1024-5000 range).

Do you think this would be a problem? I don't necessarily need all those ports opened. But my concern is: will it pose any "stress" on the firewall to handle all those ports?

Please let me know what you think.

Best regards,

Helder Conde

This means that I'd need
LVL 57

Expert Comment

ID: 24375844
O.K, the KB increases the number of concurrent open ports that can be used when a IP application asks to open a "high port".   Now, "open" includes ports in TIME_WAIT status.  

It does not affect how many concurrent ports can be open if an IP application asks to open a specific port.

What I am talking about is to go into the FTP server and specify an exact range of ports that it uses for passive data connections.  Which will cause the ftp server to ask to open specific ports.
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.


Author Comment

ID: 24375935
This is the one you're talking about, right?

Yes, I can try that one. That leads me to 2 questions:

1. How many ports do you believe I should left open on IIS for that? I believe IIS defaults at 65535.
2. What should I do on the LB to allow specifically the definited range?


Helder Conde
LVL 57

Accepted Solution

giltjr earned 500 total points
ID: 24377078
Yes, that is what I am talking about.

How many concurrent ftp sessions do you plan on having?  I would specify 20-30% more than that.  So if you plan to have 200 concurrent ftp sessions, then specify a port range than that has 240-260 ports.

I have never used a foundry LB, but I would think that you don't need to do anything other than setting up that port range as being sticky.

Author Comment

ID: 24377645

Thanks for your response. I'll go ahead and try that one.

I'll let you know about the results.

Best regards,

Helder Conde

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Samba is the de-facto standard program (or, more correctly: suite of programs) that UNIX and Linux systems use to share files with Microsoft Windows (and more recently, Mac OS-X) systems. Currently, there are 2 common versions of Samba available,…
Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question