This section explains the steps to configure the NSX Advanced Load Balancer to load balance the active FTP traffic to a pool of servers.

NSX Advanced Load Balancer uses the Layer 4 application virtual service that listens on the FTP port and the preserve_client_ip option to achieve the Active FTP load balancing.

Prerequisites

IP routing feature is required for NAT functionality, hence the requirement of SE HA mode of Legacy (Active/Standby) is mandatory.

Topology



NSX Advanced Load Balancer is logically inline between the user’s network and the FTP Server Network. All traffic to FTP Servers and the return traffic from FTP Servers to users flow to the NSX Advanced Load Balancer (Service Engines).

In the active mode FTP, the client connects from a random port (N > 1023) to the FTP server’s command port, port 21. Then, the client starts listening on port N+1 and sends the FTP command port N+1 to the FTP server.

The server will then connect back to the client’s specified data port from its local data port, which is port 20.

To support the active mode FTP, the following communication channels need to be opened at the server-side firewall:

  • FTP server’s port 21 from anywhere (Client initiates connection)

  • FTP server’s port 21 to ports > 1023 (Server responds to client’s control port)

  • FTP server’s port 20 to ports > 1023 (Server initiates data connection to client’s data port)

  • FTP server’s port 20 from ports > 1023 (Client sends ACKs to server’s data port)

FTP Load Balancing Solution

The options that must be enabled while configuring the load balancing solution for the active FTP servers are:

  • For FTP load balancing, the SE exists between the client and server. FTP virtual service (Listening on port 21) is configured on the SE, and the FTP servers are configured as the pool members. Also, the Preserve Client IP Address is enabled on the virtual service application profile.

  • Preserve Client IP option enabled in the L4 Application Profile.

  • Floating Interface IP is configured that can act as the default gateway for the back-end server network.

  • If the deployment Network has a firewall, configure NAT for the server’s connection with FTP virtual service IP address.

  • In the absence of a firewall in the deployment network, the random NAT IP address configuration is required, and still, the active FTP works as expected.



Configuration

Follow the steps mentioned below to configure NSX Advanced Load Balancer for FTP load balancing:

  1. Create FTP virtual service using System L4 Application with FTP port (21) as listening service.

  2. Enable Preserve Client IP Address under the application profile.

  3. Configure the floating interface IP address under the Network Service, which acts as the default gateway for the back-end server network.

  4. Create a NAT Profile with the following parameters:

    1. Match Criteria: Server subnet as source IP address match and source port as 20 (for the active FTP).

    2. Action: NAT IP must be the same as virtual service IP address at step1. (This is to prevent the firewall problems in the front-end deployments).

  5. Attach the above NAT Profile to the Network Service to ensure that the Server originating FTP Requests are network address translated properly.

Note:

The rule has Server Network and the source port 20 included in the match. The source port rule is necessary to match only FTP traffic, or else the SSH connections to the server from the client will fail.

Supportability

The following tech-support commands and packet captures are available to debug the problems regarding the Active FTP.

FTP VS:

  • show serviceengine <se> vshash # listening service on VNIC with FTP command port 21.

NAT supportability Commands:

  • show serviceengine <activeSE> natpolicystat

  • show serviceengine <activeSE> nat-flows

  • show serviceengine <activeSE> route-flows

Packet Captures:

  • packet captures for virtual service

  • NAT+Routing Packet captures for NAT and routing packets

  • show networkservice <ns>

For NAT packet captures:

  • debug serviceengine <key> flags flag debug_pcap_nat