Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Is it me, or does NLB stop at the drop of a hat?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Is it me, or does NLB stop at the drop of a hat? - 14.Mar.2008 5:54:30 AM
|
|
|
jenwilson
Posts: 4
Joined: 31.Jan.2008
Status: offline
|
Is it me or does NLB on ISA stop at the drop of a hat?
We have 2 x 2 ISA2006 Enterpirse Firewall Arrays, each supports a different part of the Company, one for Corporate stuff, one for Departmental stuff.
Each of the Arrays has several Perimeter networks, dmz servers, db servers, remote access servers for the Corporate and different Departments on the Departmental Firewall.
All of the networks, including external, on the Firewalls have NLB set on them.
Firewalls work well and adding rules is no issue.
However, often when making ANY kind of configuration change to the Firewalls, eg. adding a new network, making changes to VPN etc. the NLB sevice stops with an error, often only on one of the pair of the array but makes no difference as this effectively stops NLB on the array anyway.
This throws all connections/users off the Firewall, as they all use NLB addresses to connect.
Have to stop/start the Firewall service or reboot the Firewalls to get NLB working again.
The NLB seems so tied in to EVERYTHING the Firewall does that you can't make any changes without it affecting NLB.
(Its just done it bacause I changed the Radius server VPN uses for Authentication, however I hadn't set the Firewalls details on the Radius server so it wasn't going to accept any requests from the Firewall. Shouldn't have been an issue as no-one was using VPN at the time and I was then going to add the Firewall to the Radius clients so they could talk to each other.
However the Firewall decided to use its RRAS service to try calling the Radius server straight away, it couldn't, the RRAS service stopped and the Firewall decided to stop the NLB service because of this, despite the fact VPN wasn't even being used at this time!)
Its really annoying not knowing what you might do next that will cause the NLB service to stop like this!
I'm looking at recommending we use some kind of hardware Load Balancing device because whilst NLB on the ISA Firewall is good it stops far too often when you try to make changes.
Is it just me or do any other ISA users have this kind of issue?
Jen.
|
|
|
|
|
RE: Is it me, or does NLB stop at the drop of a hat? - 14.Mar.2008 6:37:18 AM
|
|
|
davidmask
Posts: 11
Joined: 17.Sep.2007
From: JHB, South Africa
Status: offline
|
Hi,
I have had this issue, and successfully resolved it. As usual, it was not an ISA problem, but a switch issue. What switches are you using? Do you have VLAN's or separate switches? Are you using an Intra-array network or internal for isa-isa comms?
Re
_____________________________
David Maskell
CISSP, MCSSA, MBCS, CITP, WCE-WS, nCSE
MCSE: NT4, 2000,2003,Messaging,Security
MCTS:SQL 2005,Vista, Windows 2008, Forefront
|
|
|
|
|
RE: Is it me, or does NLB stop at the drop of a hat? - 14.Mar.2008 8:07:13 AM
|
|
|
jenwilson
Posts: 4
Joined: 31.Jan.2008
Status: offline
|
David,
Thanks for the reply.
The Corporate Firewalls are connected straight to HP 3400 Switches (set to layer 2 only) in our Core switch array. They are in different buildings so are connected into different switches.
The Departmental Firewalls are in the same rack and connected to the same HP2650 edge switch (layer 2) (required because of the number of connections/nics in these servers) and then connected to the HP3400 Core switches (set to layer 2 only).
The different networks are VLANd into the HP3400 Core switches and/or the Departmental Networks Edge HP2650 switch and then directly connected per network to individual NICs on the Firewall (can't have NLB and VLANs on the same NIC).
We are using Intra-Array to connect the Firewalls. The Corporate Switches are in different buildings so this goes thru a direct fibre/transceiver combo between the two Corporate Firewalls (no switches). The Departmental Firewalls are next to each other and have a direct cat5 cable linking the 2 intra-array NICs.
Cheers.
Jen.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
