Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
NLB fails on all interfaces, if cable is removed from any switch
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
NLB fails on all interfaces, if cable is removed from a... - 2.Oct.2007 10:14:53 AM
|
|
|
FlexyZ
Posts: 16
Joined: 11.Oct.2004
Status: offline
|
Hi All,
I have 2xISA 2006 with 10 NICs each, I have heartbeat with a crossover cable, and each firewall has a NIC connected to a switch. (2 in each switch)
All looks juicy, but when I remove one or both NICs from any switch, the NLB fails on all interfaces :( - big problem
Anyone out there with some suggestions?
Hardware:
PE2950
2 x Quad Intel Pro NICs
2 x Broadcom onboard NICs
|
|
|
|
|
RE: NLB fails on all interfaces, if cable is removed fr... - 4.Jun.2008 4:53:06 AM
|
|
|
PsYteAk
Posts: 16
Joined: 28.Jun.2005
From: Sweden
Status: offline
|
I have seen the same thing with ISA Servers Ent that have several interfaces and that loose the NLB function on all interface when one cable disconnects from one NIC.
I hope that my response will generate new answers on this question.
|
|
|
|
|
RE: NLB fails on all interfaces, if cable is removed fr... - 4.Jun.2008 5:28:15 AM
|
|
|
HePa
Posts: 135
Joined: 9.May2008
From: Sweden, Gothenburg
Status: offline
|
Which version on ISA? Enterprise or Standard? How have you installed NLB, through ISA or the manual way?
NLB is only supported within Enterprise edition.
_____________________________
HePa
|
|
|
|
|
RE: NLB fails on all interfaces, if cable is removed fr... - 4.Jun.2008 5:42:38 AM
|
|
|
Jason Jones
Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
I am pretty sure this is by design.
Think about what happens if you lose a single interface, say the internal interface, on one node and it continues to accept connections and available as part of the cluster; ISA would then receive a request, but have no route for it internally.
As you cannot tell/define which interfaces are vital for ISA to function, I think it makes the decision to fail the entire node if any one of the interfaces fails - this is not ideal, but probably the safest option if you think about it. If you really want to, I think you may be able to change this default behaviour within the alerts settings, but never actually tried to do it and not sure it is even possible.
The best option, therefore is to place each node into a dedicated switch to ensure that switch failure will only affect one node.
Ideally it would be nice to be able to define backup interfaces or define which interfaces are critical for failover to occur - alas this level of intelligence is not included :(
The best thing is to understand this limitation and then design the network infrastuctructure around it accordingly. It sometimes means that you need to consider adding more nodes, as a simple failure could actually remove a complete node from the cluster, thus leaving the remaining members under stress. Adding more switches for dedicated to each node (as above) also helps reduce the chances of unnecessary failover.
At the end of the day, NLB is not perfect, but it is free and hence does have limitations.
I have tried to remove this limitation in the past by using NIC teaming, but even when ISA is configured for multicast mode (something that is a bit painful to configure and necessary according to most server vendors) ISA just refuses to work with any form NIC teaming in my experience (well, on HP servers anyhow).
HTH
Cheers
JJ
< Message edited by Jason Jones -- 4.Jun.2008 5:46:15 AM >
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NLB fails on all interfaces, if cable is removed fr... - 9.Jun.2008 9:46:14 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jason,
You are correct and I think this is critical functionality in order to have full support for bi-directional affinity.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NLB fails on all interfaces, if cable is removed fr... - 8.Aug.2008 5:08:18 AM
|
|
|
jenwilson
Posts: 4
Joined: 31.Jan.2008
Status: offline
|
Its a bit of a bummer though.
You have a nice ISA 2006 Enterprise array with NLB and if one single NIC (or the switch port that a NIC is attached to) fails, then your whole array effectively goes belly up.
Doesn't particularly allow very good backup/failover does it?
Jen.
|
|
|
|
|
RE: NLB fails on all interfaces, if cable is removed fr... - 8.Aug.2008 5:17:59 AM
|
|
|
Jason Jones
Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: jenwilson
Its a bit of a bummer though.
You have a nice ISA 2006 Enterprise array with NLB and if one single NIC (or the switch port that a NIC is attached to) fails, then your whole array effectively goes belly up.
Doesn't particularly allow very good backup/failover does it?
Jen.
Hi Jen,
I think you have misunderstood.
You only lose the array member that has the problem, not the entire array. If you connect all array members to the same switch, then the switch is a single point of failure anyhow.
If you are designing for high availaiblity you need to think about devices in the entire path, we likely means duplicating switches/routers etc. to get a "two of everything" approach.
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NLB fails on all interfaces, if cable is removed fr... - 8.Aug.2008 5:24:36 AM
|
|
|
Jason Jones
Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Talking of HA, I questioned recently why some of my cusotmers use Active/Passive Cisco ASA front firewalls with Active/Active ISA back firewalls as I would have though that the Cisco devices could cope with Active/Active. However, it appears (from what I was told) that the Cisco ASA devices cannot support VPN connections when in an Active/Active configuration, hence is often recommneded to use Active/Passive. There is also a licensing cost to using Active/Active comapred to Active/Passive.
Hearing this news (and the fact that I can have a whole array (e.g. more than two) of ISA servers in Active/Active mode I actually think that the high-availailbity provided by ISA Server with NLB is actually quite good, especially for free.
However, if the limitations are just too much to bare, there is always the option of adding additional hardware load balancers, but again this costs money...
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NLB fails on all interfaces, if cable is removed fr... - 8.Aug.2008 10:40:11 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jason,
Yes! Especially for VPN. We once put together a 12 node VPN array for a large utility here in the US. They wanted to make sure that they had access in the event of a disaster, like a hurricane. Worked great!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
