Bug ID 867177: Outbound TFTP and Active FTP no longer work by default over the management port

Last Modified: Feb 20, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.1.0

Opened: Jan 07, 2020
Severity: 3-Major

Symptoms

When attempting to use TFTP or Active FTP at the BIG-IP management port to transfer files to a remote system, the connection eventually times out and the file is not transferred. This is expected behavior resulting from the enhancement made in BIG-IP v14.1.0: "Support for network firewall rules on the management port" :: https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/releasenotes/product/relnote-bigip-14-1-0.html#rn_ltm-tmos_1410_new. When attempting to use TFTP and Active FTP via tmm interfaces will work as it has the necessary Algorithm capabilities to set up return listeners.

Impact

Unable to use TFTP or Active FTP to transfer files to/from the BIG-IP system over management port

Conditions

- BIG-IP v14.1.0 or greater. - Attempt to initiate TFTP or Active FTP from the BIG-IP management port through command line.

Workaround

Consider using encrypted transport (sftp, scp, etc.) in order to avoid the exposure of sensitive data, including passwords. Manually load connection tracking for the necessary protocol(s) from the command line with: modprobe nf_conntrack_ftp modprobe nf_conntrack_tftp

Fix Information

None

Behavior Change

Beginning in v14.1.0, you cannot use TFTP or Active FTP to transfer files to/from the BIG-IP system over management port. You should consider alternatives (sftp, scp, etc.) using encrypted transport for these operations.