DataPower

We are trying to configure an FTP Server Handler on two DataPower with an F5 in front of them for load balancing.
When the FTP Server Handler is "up" on one of the DP and "down" on the other one, everything works fine.
However, when the FTP Server Handlers are "up" on both DP, the FTP requests sometimes work, but most of the time fail with the error " **** Data socket error (Connection refused) - reconnecting".
We use the setting "Allow passive mode". We tried different settings for the properties "Disable passive data connection (pasv) IP security check", "Disable active data connection (port) IP security check" and "alternate PASV IP address", which are supposed to be important when a work balancer is used in front of the FTP Server Handlers. However, this did not enable us to fix the issue.
Any advice would be helpful.

------------------------------
Patrick Marie
------------------------------

Original Message------

We are trying to configure an FTP Server Handler on two DataPower with an F5 in front of them for load balancing.
When the FTP Server Handler is "up" on one of the DP and "down" on the other one, everything works fine.
However, when the FTP Server Handlers are "up" on both DP, the FTP requests sometimes work, but most of the time fail with the error " **** Data socket error (Connection refused) - reconnecting".
We use the setting "Allow passive mode". We tried different settings for the properties "Disable passive data connection (pasv) IP security check", "Disable active data connection (port) IP security check" and "alternate PASV IP address", which are supposed to be important when a work balancer is used in front of the FTP Server Handlers. However, this did not enable us to fix the issue.
Any advice would be helpful.

------------------------------
Patrick Marie
------------------------------

Thank you for your answer, Neil.
Your explanation about the issue is very probable.
I recommended the customer to change the algorithm used on the F5:
- Either select an IP address based hash algorithm, as you suggested. This would enable the 2 DP to work in active-active mode.
- Or select an algorithm which always sends the requests to the same DP, when it is available, or to the other DP, when the first one is not available. This would enable the 2 DP to work in active-passive mode.

------------------------------
Patrick Marie
------------------------------

Original Message:
Sent: Tue January 28, 2020 04:41 PM
From: Neil Casey
Subject: Problem with the FTP Server Handler configured with an F5 for load balancing

Hi Patrick

FTP is an unusual protocol by modern standards because it requires two separate connection sockets. One is used for control commands, and the other is used for data transfer. The two sockets are correlated. They need to attach to the same server.

In Active Mode, the command session is started by the client. Data transfer sessions are then outbound from the server to the client. This is often a problem when the client is behind a firewall (especially a NAT firewall).

So it is common for clients to request passive mode (PASV). This tells the ftp server (DataPower in your case) to be passive, and allow the client to establish the data session as well as the control session.

Now, if your load balancer is using round robin to allocate sessions to the ftp servers behind it, it is likely that the control session will be sent to one DataPower, and the data session will be sent to a different DataPower. This will lead to your error condition, because the DataPower which receives the data session won't be expecting it.

This also explains why things work when only one of the DataPower systems behind the load balancer is running.

So, you might try changing the load balancer algorithm from round robin to an IP address based hash. That way all connections from the same originating IP address should always go to the same DataPower (while there is a constant number running).

You will still get some failures during error and recovery situations when the count of servers behind the load balancer changes, but it should be stable for the normal case.

Regards,

Neil

-- 

Neil Casey 

Senior Consultant | Syntegrity Solutions

 +61 414 615 334  neil.casey@syntegrity.com.au 

Syntegrity Solutions Pty Ltd | Level 17 | 570 Bourke St | Melbourne | VIC 3000

Analyse  >>  Integrate  >>  Secure  >>  Educate

Original Message------

We are trying to configure an FTP Server Handler on two DataPower with an F5 in front of them for load balancing.
When the FTP Server Handler is "up" on one of the DP and "down" on the other one, everything works fine.
However, when the FTP Server Handlers are "up" on both DP, the FTP requests sometimes work, but most of the time fail with the error " **** Data socket error (Connection refused) - reconnecting".
We use the setting "Allow passive mode". We tried different settings for the properties "Disable passive data connection (pasv) IP security check", "Disable active data connection (port) IP security check" and "alternate PASV IP address", which are supposed to be important when a work balancer is used in front of the FTP Server Handlers. However, this did not enable us to fix the issue.
Any advice would be helpful.

------------------------------
Patrick Marie
------------------------------