• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA kicking NetBIOS sessions

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> ISA kicking NetBIOS sessions Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA kicking NetBIOS sessions - 10.Mar.2004 9:10:00 PM   
christoph.erdle

 

Posts: 1
Joined: 10.Mar.2004
Status: offline
Hi there,

at the moment we are implementing a tri-homed redundant firewall using two ISA-servers 2004 beta with NLB and bidirectional affinity.
That all works great except one: If any client behind the firewall connects to a remote share on a computer on the external net, and tries to connect to a second share (it doesn't differ if this one is on the same computer as the first one or not, as far as we tested), the first session gets kicked out (can't be accessed anymore) and the second one isn't established.
But the next try to establish a connection to an external client is succesful.
Is this a known issue to ISA server and can this be solved? At rules level there nearly can't be any misconfiguration as we integrated an allow-everything rule.

Thanks in advance for your help
Christoph Erdle
Post #: 1
RE: ISA kicking NetBIOS sessions - 11.Mar.2004 1:58:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Christoph,

I haven't heard about such a problem but I'll keep my eyes out for it.

Thanks!
Tom

(in reply to christoph.erdle)
Post #: 2
RE: ISA kicking NetBIOS sessions - 27.Mar.2004 10:25:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
Hi Christophe ,

We have been testing NLB and ISA 2004 Beta 2 at our schools. I am happy to hear that you actually got NLB working , because we haven't been able to get ISA 2004 and NLB working together.

Here's our findings :

We have 3 ISA 2004 beta servers each attached on 3 networks. We configure NLB between the 3 networks like this :

ISA01 ISA02 ISA03
10.1.1.1 10.1.1.2 10.1.1.3
VIP : 10.1.1.254
192.168.1.1 192.168.1.2 192.168.1.2
VIP : 192.168.1.254
172.16.1.1 172.16.1.2 172.16.1.3
VIP 172.16.1.254

We can ping to all VIPs and everything works like it should with NLB. No errors in the eventlogs or anything.

Then we install ISA 2004 Beta 2 with all firewall rules open ( allow all ) and route all networks.

At this point we can ping from any host on any network to any other host on any other network without problems. BUT.. we cannot make connection-oriented connections : TCP is the problem. For instance , we can do a ping command successfully , but not a NET USE command.
If we disable NLB on the NIC on the same lan as the client that is trying to make a connection , then nothing happens : TCP still fails.
Now if we disable NLB on the NIC on the same lan as the HOST that the client is connecting to then it works !.. this must mean that the NLB is somehow corrupting ACK and SEQ tcp handshakes.

We configured NLB as following : IGMP Multicast with Single affinity. ( this has always worked )

You are speaking of bi-directional affinity. I thought this was something that you had to configure on the application side , but I didn't know that ISA 2004 BEta had this feature ?

Could you please tell us where to configure ISA 2004 ( or windows 2003 ) bi-directional affinity mode ?

Anyway , we stopped testing NLB and ISA because it's just so incredibly difficult to get it working correctly and just as you think you solved it then you realize that there's another thing not working. We have installed a trial copy of RainWall and this product has amazed us at it's ease of use and performance increase.

Despite of getting it working on RainWall , we still would like to know how to get NLB working.
Could you send me a mail to : penrose.l@2college.nl to let me know ? Or maybe reply here I will read this topic monday.

Kind regards,
Lex Penrose

(in reply to christoph.erdle)
Post #: 3
RE: ISA kicking NetBIOS sessions - 28.Mar.2004 7:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Lex,

Check this out. You can use this method to get it to work with ISA 2000, don't know about ISA 2004. Hopefully, MS will have an NLB white paper available by the time the product releases.

Recommended way, as of the latest information I have:

Configure NLB on both interfaces, and configure ISA with
UseISAAddressInPublishing=1 - causes return traffic to traverse the NLBd interfaces correctly.

Alternative method - this was documented in a newsgroup post by Sean House, who works in Windows Networking here - this is quite lengthy:

The NLB registry settings are located at:

HKLM\System\CurrentControlSet\Services\WLBS\Parameters\Interface\{GUID}

Where {GUID} is the GUID of the NIC to which NLB is bound. If you have bound NLB to multiple interfaces (which you should), then you will see multiple GUIDs under "Interface". Use the "ClusterIPAddress" registry value under each GUID to distinguish them. Under both clusters that you wish to team, add a registry KEY (not value) called BDATeaming. Under that key, on both clusters, add the following registry VALUES (not keys):

TeamID (REG_SZ)
Master (REG_DWORD)
ReverseHash (REG_DWORD)

The team ID should be a GUID in curly braces; use "uuidgen.exe" or some such program to generate a GUID for you. Set the Team ID under both clusters to be the SAME - this is what teams them together. Now, choose one CLUSTER

(either internal or external) to be the "master" cluster. Typically, you would want this to be the internal, but it doesn't matter. On that cluster, set the Master key to 1, and on the other cluster, set the Master key to 0.
On the external cluster, set ReverseHash to 0 and on the internal cluster, set ReverseHash to 1. Below is a sample:

External cluster:
- BDATeaming
- TeamID = {70b26c0a-1c1c-4242-ba7e-6ff0229509c4}
- Master = 0
- ReverseHash = 0

Internal cluster:
- BDATeaming
- TeamID = {70b26c0a-1c1c-4242-ba7e-6ff0229509c4}
- Master = 1
- ReverseHash = 1

Now, go to a command prompt and type "wlbs reload". Hopefully, you don't get an error ;D. Now you can type "wlbs bdateam {70b26c0a-1c1c-4242-ba7e-6ff0229509c4}" and it should show you the configuration of the team. You may see some "errors" in this output if you have other nodes in the cluster that you have not yet added the keys to.

And, until all hosts are properly setup, your cluster will not converge
-
check "wlbs query" output.

Now, go to the other hosts in you cluster(s) and add the same registry keys in a consistent manner (i.e., all external clusters should have the same

settings and all internal clusters should have the same settings).
Again,
use "wlbs bdateam" to check the configuration. When you're done with all nodes, "wlbs query" should show that the hosts are happy and converged.

HTH,
Tom

(in reply to christoph.erdle)
Post #: 4
RE: ISA kicking NetBIOS sessions - 28.Mar.2004 8:17:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
Hey tom !

Thanks a lot for this info !
It looks like it could make the thing work.
However now we have RainWall running , and it performs exceptionally well.
I do however feel an urge to try NLB one very last time using these regkeys. I haven't been able to find any info on the WLBS regkeys..

This will certainly help us a lot.

Kind regards,
Lex Penrose

(in reply to christoph.erdle)
Post #: 5
RE: ISA kicking NetBIOS sessions - 28.Mar.2004 8:57:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
hi Tom ,

I found the board you were talking about and later in his post Sean says the following :
=======
e-mail from Sean House [MS]:

"Well, you're not going to find any more information out there because BDA is unsupported in Server 2003 unless ISA Server 2004 is installed... ISA '04 should release later this year, at which time the BDA configuration will be done seamlessly by ISA for you...

The thread that you refer to below contains all of the information that you need to get BDA working, though keep in mind again that it is NOT supported yet... So, to answer your question, you can ignore this message IFF you get a subsequent message in the event log that says that the BDA configuration is ok... I don't recall the event ID off-hand... Otherwise, it means that your BDA settings are misconfigured...

Use the "wlbs bdateam" command to check the status of your BDA team - make sure that no errors are reported and that the team is "Active"... The meaning of the parameters are as follows:

TeamID - just an identifier to group NICs together... Make sure that the same GUID is used for all NICs on a given machine that should be "cooperating" to provide BDA...

ReverseHash - tells NLB whether to use forward (normal) or reverse hashing on incoming traffic on the given NIC... In order for traffic to flow between two NICs clustered with NLB, one of them must be configured to use forward hashing, while the other uses reverse hashing...

Master - one NIC from each group of "cooperating" NICs must be chosen to be the master... Only one master per team, and the choice is pretty much arbitrary... However, the SAME NIC (from the same cluster) must be designated as such on ALL machines in the cluster... So, in effect, you're choosing a master CLUSTER, not a master INTERFACE..."

And another one:

"BDA will work with some ISA '00 configurations, but not all of them, and
as I mentioned, none of them will be supported by MS... For example, if
your ISA configuration causes connections to be NAT'd in the kernel (not
sure what "mode" this is in ISA), then it simply won't work... In ISA
'04, we've addressed that problem...

In short, if you have it setup, and it seems to work, then go with it...
If you start to see issues, then you'll have to drop back to a single
cluster configuration that is supported by NLB and ISA '00...
========

So I read that Isa 2K4 will natively support NLB better and also (finally) document NLB.
We will wait for ISA2K4 RTM and use NLB when it's available.

UseISAAddressInPublishing=1 doesn't solve the problem : NLB can't be used even if there's only 1 server in the cluster ( thus preventing packets sending to the wrong node , since there's only 1 node )

The advice from Microsoft is :
Don't mess with NLB coz they don't have it working yet. If you do , you will get problems. ISA 2004 Final will natively support NLB clustering on Windows 2003 and provide the needed documentation to achieve a working ISA2k4/NLB cluster.

Kind regards,
Lex Penrose

(in reply to christoph.erdle)
Post #: 6
RE: ISA kicking NetBIOS sessions - 31.Mar.2004 12:32:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Lex,

Thanks! I didn't see the follow up info.

I know they're working on NLB docs. That info will be good as gold! I think they're also working on some kind of NLB Wizard for ISA, but I can't say for sure.

Thanks!
Tom

(in reply to christoph.erdle)
Post #: 7
RE: ISA kicking NetBIOS sessions - 18.Apr.2004 1:05:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
Hi Tom ,

Ok , we now know for sure that NLB does *not* work correctly with ISA 2004. We have tested everything and thought it might be 3 NIC routing issues , but even with 2 nics we get strange errors. In the beginning everything works like a charm , but we got fooled because it doen not really accept and process connection oriented connections.
My advice for people trying to use NLB and ISA : Use rainwall from rainfinity.

Kind regards,
Lex Penrose

(in reply to christoph.erdle)
Post #: 8
RE: ISA kicking NetBIOS sessions - 18.Apr.2004 6:13:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Lex,

Thanks for the info. So it sounds like BDA still doesn't work right. That's a shame, but in know that RainWall works a treat!

Thanks!
Tom

(in reply to christoph.erdle)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> ISA kicking NetBIOS sessions Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts