FTP through ACE
Dear Mister
I need to pass FTP through ACE, but the is not functioning.
The FTP is not functioning using VIP. It is a connection toward a NAT ip address. I have the next configuration:
class-map match-all NAT2020-PRUEBA
2 match source-address 10.40.20.20 255.255.255.255
interface vlan 401
description "Conexion a Servidores Reales CERT"
ip address 10.84.255.10 255.255.255.248
no shutdown
interface vlan 450
description "Conexion a FWSM-CERT"
ip address 10.40.150.3 255.255.255.128
service-policy input NATTEST
no shut
I need to do the NAT using the real IP 10.40.150.10.
policy-map multi-match NATTEST
class NAT2020-PRUEBA
nat static 10.40.150.10 netmask 255.255.255.255
In this scenary, the NAT is not functioning.
I tried to user the next:
switch/cert(config-pmap-c)# nat static 10.40.150.10 netmask 255.255.255.255 21 vlan 401
But send the next message.
Error: Invalid real port configured for NAT static
switch/cert(config-pmap-c)#
How I could fix this problem????
Some inspect???
Best Regards
This should do what I think you want to do. THis also does source-nat. If you dont-t ewant this, then delect the class-maps ftp-810 & ftp-811 and the nat statements from vlan 468. Matthew
rserver host 810
ip address 1.8.1.10
inservice
rserver host 811
ip address 1.8.1.11
inservice
serverfarm host sf-810
rserver 810
inservice
serverfarm host sf-811
rserver 811
inservice
class-map match-all ftp-810
2 match virtual-address 1.9.1.209 tcp any
class-map match-all ftp-811
2 match virtual-address 1.9.1.208 tcp any
class-map match-all vip-ftp-10
10 match virtual-address 1.9.1.209 tcp eq ftp
class-map match-all vip-ftp-11
10 match virtual-address 1.9.1.208 tcp eq ftp
policy-map type loadbalance first-match pm-ftp-10
class class-default
serverfarm sf-810
policy-map type loadbalance first-match pm-ftp-11
class class-default
serverfarm sf-811
policy-map multi-match lb-vip-10
class vip-ftp-10
loadbalance vip inservice
loadbalance policy pm-ftp-10
loadbalance vip icmp-reply
inspect ftp
class ftp-810
nat dynamic 9 vlan 468
policy-map multi-match lb-vip-11
class vip-ftp-11
loadbalance vip inservice
loadbalance policy pm-ftp-11
loadbalance vip icmp-reply
inspect ftp
class ftp-811
nat dynamic 8 vlan 468
interface vlan 468
description Server vlan
ip address 1.8.1.201 255.255.255.0
nat-pool 9 1.8.1.209 1.8.1.209 netmask 255.255.255.255 pat
nat-pool 8 1.8.1.208 1.8.1.208 netmask 255.255.255.255 pat
service-policy input remote-access
interface vlan 469
description Client vlan
ip address 1.9.1.201 255.255.255.0
service-policy input lb-vip-10
service-policy input lb-vip-11
ip route 0.0.0.0 0.0.0.0 1.9.1.254
Similar Messages
-
Can't connect to FTP through FINDER (other ftp clients work)
I try to connect to my schools ftp icarus.engr.uconn.edu through finder's, Go -> Connect to Server
but every time I try it tells me you have entered an invalid password or username. The thing is that I can connect to the ftp through any FTP client like filezilla or Cyberduck even the Terminal ftp program will connect, but not Finder. Finder tells me the password or username is invalid. ??Is it not prompting you? You can imbed your username or even your username + password in the URL.
e.g.
ftp://username@server
or
ftp://username:password@server
There should be no issue connecting. BUT... the imbedded FTP in Finder only allows for downloads. You can't upload.
You can upload via the command line FTP client, and of course a slew of 3rd party FTP clients (some of which you've already mentioned.)
Message was edited by: Tim Campbell1
Message was edited by: Tim Campbell1 -
Carry out ftps through a CSS11501-SCA11000 ?
Is it possible to carry out ftps through a CSS11501-SCA11000 ? If yes, please send me the details and a configuration example.
rgds, Geert.Hi
Can you check whether the following business function set were actviated
Business Function LOG_EAM_CI_1
Business function LOG_EAM_CI_2
Regards
thyagarajan -
Q: FTP through java?
Hello,
I am trying to do an FTP through java. Does anybody know how I can spawn an FTP process and send ftp commands to it from my java program?
I am on a Solaris system BTW.
Thankyou in advance...I see you haven't assigned any duke dollars to your question. Let me tell you how does the Duke Dollar system work. Observe the following example...
I know the answer.
My rates are as follows:
zero duke dollars - vague hint
one to five duke dollars - +definite answer
six to ten duke dollars - +full file/package name
ten to fiteen duke dollars - +URL information
more than fifteen duke dollars - +full URL with download information
Pick your choice and select the appropriate answer:
0 - There are premade classes that allow you to use FTP in Java.
1 - 5 IBM have created a package that will allow you to do things that you desire.
6-10 You should be looking for the FTP Beans Suite by IBM It comprises of two beans - the FTPProtocol bean and the FTPUI bean, both are very useful, especially in your situation.
11-15 You can find this suite at http://www.alphaworks.ibm.com
16+ go here http://www.alphaworks.ibm.com/ab.nsf/bean/FTP to add file transfer functions to your applications... without writing a line of code. -
Hi,
Topology:
HOST1 <- ACE <- MSFC -> FWSM -> HOST2
When I ping HOST1 from HOST2, I 'sometimes' experience delay in starting the ping. However, once the ping starts it continues without a problem. The issue is only while starting the ping i.e. its goes into a halt for 3,5,10, 15 seconds and then starts getting echo-responses.
Now, HOST1 is on the Server Vlan of the ACE module. So it is bridged the client vlan which is defined on MSFC.
Would you know of any reason why the start of the ping responds late. And this does not happen everytime.
Could it be ARP related problem.
Thanks.Since you are running redundant pair of ACE's in bridge mode, I would like
you to check the following items
1. Have you disabled BPDU guard & Loopgurad on cat
You should have following configured on cat6k
no spanning-tree portfast bpduguard default
no spanning-tree loopguard default
2. Are you allowing BPDUs to pass through ACE
It can be done using an ethertype ACL to permit BPDUs and this
ACL should be applied to both bridged vlan interfaces.
acccess-list xyz ethertype permit bpdu
To capture packets passing through ACE, you will need to do the following.
Type 'monitor session 10 source interface port-channel 2xy both'
Where 2xy is 256 + slot number of ACE.
3. Type 'monitor session 10 destination interface fastEthernet a/b'
Where a/b is a port that you plug your PC in on the cat
4. Run Ethereal on your PC
Syed Iftekhar Ahmed -
Hi,
I need to configure ACE for load-balancing FTPS. And simply deploying L4 policies are not helping either. Configured the FTPS servers and both of them are working fine when accessed via physical IP, but do not work when accessed via the VIP.
if it is possible, a reference URL would really be a great help.Hi Rajiv,
Do you want to loadbalance SFTP ?
Or just have it pass through ??
Loadbalancing SFTP is difficult because it starts as regular FTP and switches over to SSL which ACE can't do and fails to understand.
you don't need anything to have it passthrough.
As long as you don't ask ACE to inspect the traffic, and assuming this traffic is permitted in your access-group, then there is nothing to do to have it go through.
I think your goal is to distribute inbound file deposits evenly across SFTP servers.
High-level Overview
Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers
I would like to tell you that SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.
So you are good.
On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
Kindly find these examples for FTP load balance method in cisco ACE:
1. FTP serverfarm on Cisco ACE
http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html
2. FTP Load Balancing on ACE in Routed Mode Configuration Example
http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_Routed_Mode_Configuration_Example
3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example
http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example
Kindly refer the folowing URL for Layer4 policies:
http://cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3048.shtml
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide,_Release_A2(x)_--_Troubleshooting_Layer_4_Load_Balancing
http://snippets101.blogspot.com/2008/08/cisco-ace-and-private-vlans-in-switch.html
http://snippets101.blogspot.com/2008/08/asymmetric-server-normalization-on.html
http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Configuring_Server_Load_Balancing
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/tcpipnrm.html#wpmkr1116809
Hope it will help you furhter in configuring the ACE load balancing L4 policies.
Kindly rate
Sachin Garg -
All,
Is it possible to use the SAP XI FTP adapter through an internet proxy? I don't find any configuration parameters to specify the ip-address and ftp-port.
Kind regards, Guy CretsIt seems impossible to specifiy the ip-address and port number of a proxy server. Only the ip adress and port number of the ftp server can be specified.
I want to connect with the FTP adapter to an FTP server somewhere on the Internet. To go out of our network on to the Internet, I need to go through a proxy.
Looking forward to your feedback/answers.
Regards, Guy Crets -
SAP Query into FTP through ABAP
Hi Experts,
I have an SAP query which needs to be run on a daily basis (through a back ground job) and the data that is pulled has to be stored in a file in tab delimited format and the same should be extracted to an FTP site. Can you please suggest ways for this?
Thanks,
Shashank.Hi ,
Thanks for our reply.
I have pasted some example code into my additional field which I have created in SAP Query But im not sure how the loop bit works and how I can populate the additional fields that I have created , could you please explain this
CALL FUNCTION 'HR_READ_INFOTYPE'
EXPORTING
pernr = '000000019'
infty = '01'
BEGDA = '18000101'
ENDDA = '99991231'
tables
infty_tab = p0008
EXCEPTIONS
INFTY_NOT_FOUND = 1
OTHERS = 2
LOOP AT p0008.
NOT SURE WHAT TO PUT IN THIS SECTION *****
ENDLOOP.
I have created 3 additional Fields in the infoset Current FTE ,FTE1 FTE2 , and I want to loop through the records and populate the relevant Additional field with the employees FTE (I only want to populate where there is a change)
Sample Data
Begda Endda FTE Salary
1/1/2010 31/12/999 60% 19K (Current FTE)
01/08/2009 31/12/2009 100% 27k (FTE1)
01/07/2008 31/7/2009 50% 17K (FTE2)
Thanks in anticipation
DM -
FTPS through S160 webproxy ironport
We are using S160 ironport for Web as well as FTP proxy. Now we would like to add FTPS port 990 to go through ironport. We could access the target files through filezilla without using the proxy, but cannot do it if we use the proxy.
Could someone please advise what steps are needed for this to be achieved? Policy trace shows that no policy is matching this URL and 'URL Blocked'
Regards
saifHi,
You can try running the FTPS using the Socks proxy:
Step 1:
Configure a SOCKS service on the proxy (by default, this will listen on port 1080)
Step 2:
Configure the FileZilla '
Generic Proxy' to communicate to the ProxySG using SOCKS on port 1080
Step 3:
Configure Filezilla to communicate to the FTP server using FTP over TLS
Regards,
Kush -
RT:Why I can't make an ftp through explorer?
Dear members,
Actually I have a problem with the browser to connect with the target.
My system is a peer to peer PC desktop.
I am able to deploy and run the application without troubles and also the data exchange via the measurement and automation explorer
works fine.
The problem is when I try to estabilish a connection via ftp or http to the target.
I type the usual URL: ftp://160.40.10.20/NI_RT/SYSTEM/WWW/ where the IP address is the target address and ...page cannot be displayed.
I'm sure the firewall is inactive and I set the pop-up and security at the minimal level.
The Web configuration in the real time target properties is so set:
TCP/IP box checked
In the computer acess list I wrote the IP addresses of the target and the host
Webserver active checked
Webserver Browser access I wrote the Host IP address
User access I placed the Host IP
Someone has idea what I made wrong?
Bye
Principiant
Solved!
Go to Solution.Thanks for the suggestion but I solved the problem finally.
The fact is that I use a Peer to Peer connection but the host or better IE on the host has been configured for a LAN connection. This means anytime it searches an address he wants to go through the Gateway and since the gateway is not connected....
The solution is quite straightforward:
Starting from the tool bar of IE follow the path Tools>>Internet Options>>Connections>>LAN Settings>>Advanced..
Then in the field Exceptions (address which do not need a proxy connection) write the target IP address or if more than one the trgets addresses separated from a semi colon and that' s it.
So said it seems easy....
Principiant -
Idle Oracle DB connection through ACE dropped after 1 hour
Hi folks,
I'm looking for some ideas how to troubleshoot a problem we're having with an Oracle App.
What we are finding is that when a request takes more than an hour for the Oracle DB to process the connection is being dropped.
When wireshark is used at DB server interface we see nothing for an hour and then a single packet RST,ACK with the source identified as the App Server.
We have an App server farm that is behind an ACE module that is in bridging mode. The DB server is on another VLAN so the path the traffic takes is from the App Svr through the ACE from the back to the frontside vlan, through the 6506's MSFC to be routed to the DB server.
Path like this:
Appserver|-->VL203-->|ACE|-->VL202-->|L3 Switch|-->VL200-->|DB Server
If we move the App server to Vlan 202 in front of the ACE the process carries on to completion (after 75 mins).
Is there anything in the ACE settings that could cause the connection to be dropped after an hour for traffic that should simply be being bridged through?
Any suggestions as to where to look next would be appreciated.
TIA
ZacOK Gilles, I'll look at that in the morning. However, this is where it gets interesting.
We have DB servers on two other VLANs routed by the same switch. The connections to those DB servers don't get cut off after an hour (In the connection path I outlined swap VLAN 200 for VLAN 50 or VLAN 205) One of them is even behind the ACE in a different server farm.
Zac -
Connections through ACE module
when a client makes a connection to a vip which is in the client side vlan, and the ace sends the load balanced request to the rserver, and the rserver replies - does the rserver always get nat'd to the vip in the reply - if no nat is configured? Because if teh client sends a syn to the vip and receives a syn,ack from a different ip, it'll just send a reset correct?
how about in this example using nat~? Does teh rserver's reply get patted to 172.19.192.26, then get nated again to the vip? Or do they go straight to the client?
vlan 195 is teh client side
vlan 719 is the server side
access-list acl_NAT_VIP line 40 extended permit ip 172.19.254.0 255.255.254.0 172.19.192.0 255.255.252.0
class-map match-any NAT_CLASS_VIP
2 match access-list acl_NAT_VIP
policy-map multi-match NAT_POLICY
class NAT_CLASS_VIP
nat dynamic 5 vlan 719
interface vlan 195
ip address 172.19.192.19 255.255.252.0
alias 172.19.192.18 255.255.252.0
peer ip address 172.19.192.20 255.255.252.0
access-group input allowall
access-group output allowall
nat-pool 2 172.19.195.37 172.19.195.37 netmask 255.255.255.255 pat
nat-pool 3 172.19.195.39 172.19.195.39 netmask 255.255.255.255 pat
nat-pool 4 172.19.195.40 172.19.195.40 netmask 255.255.255.255 pat
nat-pool 1 172.19.195.46 172.19.195.46 netmask 255.255.255.255 pat
nat-pool 6 172.19.195.36 172.19.195.36 netmask 255.255.255.255 pat
service-policy input LB_POLICY
no shutdown
interface vlan 719
ip address 10.1.9.66 255.255.255.240
alias 10.1.9.65 255.255.255.240
peer ip address 10.1.9.67 255.255.255.240
access-group input allowall
access-group output allowall
nat-pool 5 172.19.192.26 172.19.192.26 netmask 255.255.255.255 pat
service-policy input LB_POLICY
service-policy input NAT_POLICY
no shutdownBryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
Application Slowness through ACE 4710
We are struggling with an issue where a user can run a report directly from the server but not from ACE loadbalanced url.
Report run via Individual Web server URL’s
The report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.
Report run via ACE Load Balanced URL
The report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.
The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutes
The network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
Please advise what is the best way to troubleshoot this issue.
Thx
AhmadHello Jorge,
Here is my response below.
What version are you using? Version A4(2.3a)
Can you upload these outputs?
# show service-policy int63 class-map appbo detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 62 63 155 409
service-policy: int63
class: appbo
VIP Address: Protocol: Port:
170.116.253.245 tcp eq 80
loadbalance:
L7 loadbalance policy: appbo-l7slb
VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 136348
dropped conns : 21
conns per second : 0
client pkt count : 4579400 , client byte count: 1054651106
server pkt count : 6006908 , server byte count: 7506886155
conn-rate-limit : - , drop-count : -
bandwidth-rate-limit : - , drop-count : -
L7 Loadbalance policy : appbo-l7slb
class/match : class-default
LB action: :
sticky group: appbo
primary serverfarm: appbo
state:UP
backup serverfarm : -
hit count : 136348
dropped conns : 12
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
Parameter-map(s):
3600-seconds
# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 455403292 , TCP data msgs sent : 2434371041
Inspect parse result msgs : 0 , SSL data msgs sent : 1740205587
sent
TCP fin msgs sent : 40338385 , TCP rst msgs sent: : 22697825
Bounced fin msgs sent : 3083341 , Bounced rst msgs sent: : 2062455
SSL fin msgs sent : 53021042 , SSL rst msgs sent: : 89469
Drain msgs sent : 260995432 , Particles read : 749867347
Reuse msgs sent : 0 , HTTP requests : 413618855
Reproxied requests : 232446464 , Headers removed : 0
Headers inserted : 105893583 , HTTP redirects : 1485493
HTTP chunks : 144637122 , Pipelined requests : 42911599
HTTP unproxy conns : 305776225 , Pipeline flushes : 942
Whitespace appends : 720 , Second pass parsing : 0
Response entries recycled : 42882784 , Analysis errors : 0
Header insert errors : 49 , Max parselen errors : 35941
Static parse errors : 261401 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 117
Headers rewritten : 49 , Header rewrite errors : 0
SSL headers inserted : 0 , SSL header insert errors : 0
SSL spoof headers deleted : 0 , Unproxy msgs sent : 305776279
HTTP passthrough stat : 0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Has this ever worked before? YES but the issue is Intermittent
Why do you have a low timeout for your sticky configuration? NOT SURE. WILL HAVE TO CHECK WITH APP OWNERS IF WE CAN INCREASE THAT
If you clear the cookies of the browser and turn off some of the servers to test only with one, do you have the same behavior? Will try to perform this test with app owners
In your tests, are you trying to the same type of query to your database? I mean do you see the problem if you try to update/delete/select in the database? No Refresh is pretty quick.
What are the servers? Oracle, SQL server, MS Access? ORAGLE 11G.
Thanks for your help! -
Hi, I'm writing an application to transfer (get) some files from multiple solaris servers periodically for pot processing. I've used a socked connection at port 21 and successfully established a connection. The problem i'm havng is that each other command than PWD and CWD are being rejected with message "command not understood".
I'm writing this app for windows platform. Can anybody please come up with suggestions as i'm badly stuck!
Thanks\\
Haroon MughalHI everyone,
You can use the com.sun package. There they have a FTPClient class.
Alternatively you can connect to a ftp site using the URL class as below
URL url = new URL("ftp://user:[email protected]/polo.zip");Connect to the site and get the inputstream and read the file using streams.
If your ftp site uses normal url without the pass and username then simple use the Authenticator class to authenticate yourself in if you need authentication
Let me know me know whether it works
Richard West -
Cisco ACE Issue accessing SAP applications through ACE appliance
Hi,
I have website whose VIP resides on my ACE appliance. That site has many links on it which are SAP applications.
For one link, when i click it first time, user is asked for authentication which is not actually required and get blank page.
When I click back (go to main site again) and again click the same link, it opens normally without any authentication prompt.
Rest all links on the site have no issues and open normally.
I had same issue with acceptance for same application and below parameter map resolved the issue
parameter-map type http case_param
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
I tried using same parameter map with persistance rebalance disbaled but still it does not work.
What could be the issue in this case?Hi,
The SAP has front end server to which ACE is sending traffic dstined to particular VIP. front end server then communicates with backend server for all date related to all applications. When client is using different applications, url in browser remains the same. All applications are working fine except this single application.
same setup is working fine with cisco CSS and even the accepatnce is working fine for same set of applications.
I am getting bad tcp checksum messges in capture output.
10.38.199.196 is client IP....10.36.64.40 is VIP and , 10.36.64.86 is nat ip and 10.36.32.55 is front end server which is user interface to various applications
Maybe you are looking for
-
Windows Phone 8.1 Update 2
Microsoft is on a roll. According to WPCentral it looks like members of the developer preview program will see Update 2 released to their devices around 10/8/2014. List of unconfirmed features: The ability to create groups of applications in the app
-
Help - after NG6 update cannot print to HP 4600dn color laser - what can I do?
I was always able to print easily from my Galaxy S4 to my local lan networked HP 4600dn. I still can from my Note 3 which is at NC4 update. I'm guessing when the Note 3 is forced to update I won't be able to print to the HP 4600dn from it either. W
-
Can't get anything to work with printer set up
Hi, I just purchased the Airport Extreme earlier this week and I am trying to set up my HP Deskjet 3930. Unfortunatley, I am really confused. I currently have the printer connected to my PC, which runs on Windows XP, through the USB port. I also have
-
Two problems with the newly implemented WF in UWL
Hi all: Finally I could see WF of leave request in UWL , but there seems to be two problems with it. The first is workitems disappear very slowly, for example , when approve it, the workitem would disappear at once at backend, however,
-
How and what's to customizen in AA while a new business area created
My customer created a new business area and after this has been done, heu2019s depreciation run didnu2019t work anymore. Anyone can help me? If you create a new business area, what should you do in the customizing (SPRO) in point of view of AA? Than