Active FTP Load Balancing Using VMware NSX Advanced Load Balancer
Overview:
The support for load balancing Active FTP is available starting with VMware NSX Advanced Load Balancer release 20.1.6 This article explains the steps to configure Avi Vantage to load balance the active FTP traffic to a pool of servers. NSX Advanced load balancer uses the Layer 4 application virtual service that listens on the FTP port and the preserve_client_ip option to achieve the Active FTP load balancing.
Prerequisites
- Knowledge of Active FTP and its configuration
- Active FTP virtual service requires 2 functionalities
- Preserve client IP - Refer to Preserve Client IP for the deployment requirements and configuration options.
- NAT Policy - Refer to configuring NAT on Avi Service Engine for the deployment requirements and configuration options.
IP routing feature is required for NAT functionality, hence the requirement of SE HA mode of Legacy(Active/Standby) is mandatory.
Topology
NSX Advanced load balancer is logically in line between the user’s network and the FTP Server Network. All traffic to FTP Servers and the return traffic from FTP Servers to users flow the NSX Advanced load balancer (Service Engines).
In the active mode FTP, the client connects from a random port (N > 1023) to the FTP server’s command port, port 21. Then, the client starts listening on port N+1 and sends the FTP command port N+1 to the FTP server.
The server will then connect back to the client’s specified data port from its local data port, which is port 20.
To support the active mode FTP, the following communication channels need to be opened at the server-side firewall :
- FTP server’s port 21 from anywhere (Client initiates connection)
- FTP server’s port 21 to ports > 1023 (Server responds to client’s control port)
- FTP server’s port 20 to ports > 1023 (Server initiates data connection to client’s data port)
- FTP server’s port 20 from ports > 1023 (Client sends ACKs to server’s data port)
The workflow mentioned is explained using the below diagram too:
FTP Load Balancing Solution
The followings are the main configuration options that should be enabled while configuring the load balancing solution for the active FTP servers.
- For FTP load balancing, the SE exists between the client and server. FTP virtual service (Listening on port 21) is configured on the SE, and the FTP servers are configured as the pool members. Also, the preserve client IP address is enabled on the virtual service application profile.
- With the Preserve Client IP option enabled in the L4 Application Profile.
- Floating Interface IP is configured that can act as the default gateway for the back-end server network.
- If the deployment Network has a firewall, configure NAT for the server’s connection with FTP virtual service IP address.
- In the absence of a firewall in the deployment network, the random NAT IP address configuration is required, and still, the active FTP works as expected.
For more details, check the workflow diagram mentioned above.
Configuration
Follow the steps mentioned below to configure Avi Vantage for FTP load balancing:
-
Create FTP virtual service using System L4 Application with FTP port (21) as listening service..
-
Enable Preserve Client IP under the application profile.
- Configure the floating interface IP address under the Network Service, which acts as the default gateway for the back-end server network.
-
Create a NAT Profile with the following parameters:
Match Criteria: Server subnet as source IP address match and source port as 20 (for the active FTP)
Action: Nat IP should be the same as virtual service IP address at step1. (This is to prevent the firewall problems in the front-end deployments).
- Attach the above NAT Profile to the Network Service. This ensures the Server Originating FTP Requests is NAT’ed properly.
Note: The rule has Server Network and the source port 20 included in the match. The source port rule is necessary to match only FTP traffic, or else the SSH connections to the server from the client will fail.
Supportability
The following tech-support commands and packet captures are available to debug the problems regarding the Active FTP.
FTP VS:
show serviceengine <se> vshash
# listening service on VNIC with FTP command port 21.
NAT supportability Commands:
-
show serviceengine <activeSE> natpolicystat
-
show serviceengine <activeSE> nat-flows
-
show serviceengine <activeSE> route-flows
Packet Captures:
- packet captures for virtual service
- NAT+Routing Packet captures for NAT and routing packets
show networkservice <ns>
For NAT packet captures:
debug serviceengine <key>
flags flag debug_pcap_nat