Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA2006 NLB problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> ISA2006 NLB problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA2006 NLB problem - 7.Apr.2008 10:57:44 AM   
olkrehan

 

Posts: 6
Joined: 19.Jun.2007
Status: offline 		Hi all, I've seen a lot of postings regarding problems with ISA 2006 EE in NLB mode. Here is a new one...We setup an ISA 2006 array with several protected networks. We use unicast NLB with layer2 switches and a crossover cable for the intraarray communication.So far everything works as expected, traffic flows through both members and is allowed or denied as it should.Our problem is that the cluster, or to be more exactly, both array members don't "see" some of our network hosts. If I try to ping them, the request times out, no log entry in the firewall log - nothing. If I check the ARP table of both members, the host isn't there. Even if I manually add the ARP entry there is no chance to reach the system, neither from the isa itself nor from any other client on any other subnet.Only systems on the same subnet can reach them. Because of this I don't think it's a general network problem but an ISA problem. It seems that the members just won't learn all MAC addresses on the switches they are connected to.The curious thing is that this happens only to our iLO-boards (we use HP ProLiant servers). Normal servers are accessible without any problems. Does anyone here have a clue what this behaviour could cause or even how to make things work again? Best regards,Oliver
Post #: 1
RE: ISA2006 NLB problem - 7.Apr.2008 6:08:22 PM   
Jason Jones

 

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		What switches?

It may be worth changing the MaskSourceMAC paramater as discussed here:

http://support.microsoft.com/kb/193602/EN-US/

It may also be worth trying to add static ARP entires on the switches which point to the virutal MAC address to the virtual IP addresses.

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to olkrehan)
Post #: 2
RE: ISA2006 NLB problem - 8.Apr.2008 3:05:24 AM   
olkrehan

 

Posts: 6
Joined: 19.Jun.2007
Status: offline 		We use Enterasys B3 GBit switches which operate only at layer 2 level.All interfaces of both isa servers are configured with the MaskSourceMAC set to 1 as desribed in the KB article.Using a hub in front of the isa servers is not really an option because we need the gbit performance and I don't know of any hub supporting gbit traffic. Our switch reports the virtual MAC address associated to the nlb team correctly: Virtual MAC on ISA1: ip xxx.xxx.xxx.2 02-BF-C0-A8-3F-01Virtual MAC on ISA2: ip xxx.xxx.xxx.3 02-BF-C0-A8-3F-01 ARP entries on switch: xxx.xxx.xxx.1 02-BF-C0-A8-3F-01xxx.xxx.xxx.2 02-BF-C0-A8-3F-01 It seems that the switch associates two ips with the same virtual MAC but I can't delete the one which is associated to the xxx.xxx.xxx.2Nevertheless, this shouldn't be a problem since most of our hosts act as they should, only few have connection problems.

(in reply to Jason Jones)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> ISA2006 NLB problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts