Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

Passive FTP over Load Balancer

Dear colleagues,

I'm running two Windows Server 2003 machines behing a Foundry Load Balancer. I'm running FTP on those babies and I want Passive FTP to work via load balancer.

The thing works fine for several hours. I'm able to send thousand of files to the servers, via load balanced IP. However, every once in a while, I get a the following error message on my application: "Can't connect to server specified PASV port {PORT NUMBER, eg. 50419}. There is probably a firewall blocking this port". But, when I use the non-balanced IP, I don't get that message at all. So, indeed, the problem does not seem to be on the firewall, but on the load balancer.

Here is what I think: since the load balancer, in theory, "pushes" the traffic to the least used server, there may be times in which it "switches" the server it is pointing to, while the actual FTP connection is opened on the other one. That is why the problem occurs: it opens a connection on server 1, but when the actual file transfer starts, it tries to send it to server 2 (which does not have the expected FTP port opened). That is possibly why I have those random FTP issues sometimes. I do think this makes sense.

I talked about this with my network admin and he configured the load balancer for port 21 for sticky and concurrent ON. Since I'm working with passive FTP, port 20 should not be a problem... Anyway, sticky and concurrent are ON for port 20 as well.

However, even after this, the problem remains just the same.

Do you guys think we are doing something wrong? Should we make any other port sticky or concurrent?

This is quite urgent and I thank you for your attention and helpful support.

Best regards,

Helder Conde
0
HelderConde
Asked:
HelderConde
  • 3
  • 3
1 Solution
 
giltjrCommented:
Your theory is most likely correct.  The foundry device SHOULD be able to be configured so that the data connection always goes back to the same server that the command/control session is on, that is sticky sessions.

If you are not using active ftp, then doing anything with port 20 will just be a waste of time.

The foundry device should be able to snoop the command/control session and know to keep the session sticky.

Now, what you could try and do is setup the ftp server to use a specific range of ports for the data connection and make those sticky.
0
 
HelderCondeAuthor Commented:
Thanks for your response. I had thought of doing what you suggested: "setup the ftp server to use a specific range of ports for the data connection and make those sticky".

I just didn't do it because I need a large number of ports opened. Actually, I've used the procedure described in http://support.microsoft.com/kb/196271 to open my ports up to 65534 (instead of the default 1024-5000 range).

Do you think this would be a problem? I don't necessarily need all those ports opened. But my concern is: will it pose any "stress" on the firewall to handle all those ports?

Please let me know what you think.

Best regards,

Helder Conde

This means that I'd need
0
 
giltjrCommented:
O.K, the KB increases the number of concurrent open ports that can be used when a IP application asks to open a "high port".   Now, "open" includes ports in TIME_WAIT status.  

It does not affect how many concurrent ports can be open if an IP application asks to open a specific port.

What I am talking about is to go into the FTP server and specify an exact range of ports that it uses for passive data connections.  Which will cause the ftp server to ask to open specific ports.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
HelderCondeAuthor Commented:
This is the one you're talking about, right?
http://support.microsoft.com/kb/555022/en-us

Yes, I can try that one. That leads me to 2 questions:

1. How many ports do you believe I should left open on IIS for that? I believe IIS defaults at 65535.
2. What should I do on the LB to allow specifically the definited range?

Thanks,

Helder Conde
0
 
giltjrCommented:
Yes, that is what I am talking about.

How many concurrent ftp sessions do you plan on having?  I would specify 20-30% more than that.  So if you plan to have 200 concurrent ftp sessions, then specify a port range than that has 240-260 ports.

I have never used a foundry LB, but I would think that you don't need to do anything other than setting up that port range as being sticky.
0
 
HelderCondeAuthor Commented:
giltjr,

Thanks for your response. I'll go ahead and try that one.

I'll let you know about the results.

Best regards,

Helder Conde
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now