- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-17-2018 01:36 PM
I have a "HA" pair of firewalls in Azure sitting behind an external Load Balancer. I have a FTP server that I have to configure behind the firewalls. I am able to connect locally to the FTP server and it works as expected, but when I point the FTP client to the Public IP address of the LB, I am able to connect, but not get the directory. I am using passive FTPS. I see the connection in the traffic table, and it has NAT applied and Allowed by the correct Security Rule. I am thinking it may be Azure causing the issue, but am unsure at this point.
Any suggestions would be greatly appreciated.
05-18-2018 10:05 AM
Hello,
Are the PAN's active/passive or active/active? If A/A, its proably asymetric routing back to the client.
Just a thought.
05-18-2018 10:20 AM
What is your NAT configuration? You should have both a Destination NAT of the FTP server and a Source NAT of the Trust side interface of the Firewall in the NAT policy. That will ensure proper return path.
05-18-2018 11:10 AM
Are you using FTP or FTPS? I see both mentioned in your post. Also, when you say you see the connection in the traffic table, do you see both the control and data channels or just the control?
One thing to look at is the distribution mode on the load balancer:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode
If you are using 'None' as the distribution mode, the load balancer will use src IP, src port, dst IP, dst port, and protocol to determine the backend pool member to use. If the control channel lands on one FW and the data channel on the other, the data channel will be dropped. Changing to one of the other distribution algorithms ("src IP" or "src IP and protocol") should ensure that both land on the same FW.
05-21-2018 07:14 AM
I am using FTPS, but also tested with FTP. I am using Src IP and Protocol for the transmission of the packets thorugh the load balancer. I have other services working as expected on the PAs. As far as traffic, I only see the control traffic in the monitor tab.
05-21-2018 07:14 AM
The firewalls are in an A/A setup, but Azure doesn't really do HA, so they don't syncronize the session information.
11-18-2021 08:07 PM
Hi! Did you ever resolved this issue? I am facing the same problem and have not been able to find a solution. I have to add that my FTP works if I force the client into Active mode. I can then see the DATA traffic using TCP 20. However it does not work when using Passive mode which is required for FTPS. Appreciate any assistance here. Thank you in advance!!
10-03-2022 05:58 AM
were you able to solve this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!