• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VIP config and/or NLB issue TMG 2010

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> VIP config and/or NLB issue TMG 2010 Page: [1]
Login
Message << Older Topic   Newer Topic >>
VIP config and/or NLB issue TMG 2010 - 22.Jul.2010 5:12:13 PM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
When I created my VIPs in my 2 TMG 2010 array I saw something that seems different from ISA 2006.  The process is as follows (after enabling NLB and NLB integration):

1. Add a VIP  via the NLB tab in the network
2. Create listener, and select new VIP in the listener.

When I go to (2) I do not always see the new VIP in the network connections for the listener.  Sometimes it appears, but is listed as being with a specific server, not as a VIP. I can add the VIP while configuring the listener.

I check the new address on the machines using ipconfig and it is there.

However, connections fail for some published servers (time  out to internal host) when TMG1 and TMG2 are both up.  When I shut down TMG1, connections to all published hosts work great.

Just as a test I loaded NLB manager just to see what it showed, and I get the RPC errors.

I a using an intra-array private network.

Could the oddly configured VIPs as described above lead to failed connections? 

_____________________________

Mark
Post #: 1
RE: VIP config and/or NLB issue TMG 2010 - 22.Jul.2010 7:11:21 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
NLB manager will do that as TMG blocks the DCOM traffic it needs; you can ignore that and just use the TMG console for NLB operations.

Anyhow, what mode of NLB are you using?

How are the NLB interfaces connected to the network? Type of switches etc?

Have you enabled NLB on both internal and external interfaces?

You can get the symptoms you describe when the switch is learning to associate the VIP with a specific host (well, switch port to be precise) as opposed to allowing traffic to reach both nodes and let NLB make the decision.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mjgraves@tisecurity.)
Post #: 2
RE: VIP config and/or NLB issue TMG 2010 - 22.Jul.2010 7:57:41 PM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
Hi Jason,

I am running unicast. Yes, NLB is enabled on internal and DMZ interface.

I will verify the switch as you describe.

I have a VIP on internal route to which the content switch routes back to the internal TMG NICS. THis is because I am preserving orig client IP. This has worked well and I confirmed the traffic with Netmon.

It only fails when the second TMG is up.

I will test more in a day or so and let you know the outcome.

Regards,
Marl

_____________________________

Mark

(in reply to Jason Jones)
Post #: 3
RE: VIP config and/or NLB issue TMG 2010 - 23.Jul.2010 8:10:26 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Have you installed TMG SP1 or hotfix 980674?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mjgraves@tisecurity.)
Post #: 4
RE: VIP config and/or NLB issue TMG 2010 - 23.Jul.2010 9:14:53 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
I will check, but almost positive I did, as I havd NLB issues at the begging of the install. With incoming connections to a host to which I am not preserving client IP, the NLB seems to work great.

I just see the problem when I use this latest host. The two published servers are actually a Cisco content switch.

One of the hosts fronted by the content switch require original client IP. The content switch has a default route back to a VIP on the Internal.

_____________________________

Mark

(in reply to Jason Jones)
Post #: 5
RE: VIP config and/or NLB issue TMG 2010 - 23.Jul.2010 9:17:23 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
You and I corresponded on this post, and I did install the hotfix.

The post is:

TMG 2010 KB 980674 when to apply?

_____________________________

Mark

(in reply to Jason Jones)
Post #: 6
RE: VIP config and/or NLB issue TMG 2010 - 23.Jul.2010 9:32:25 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Ah ok, I do see a lot of posts!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mjgraves@tisecurity.)
Post #: 7
RE: VIP config and/or NLB issue TMG 2010 - 25.Jul.2010 6:08:58 PM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
I the hoftix is  installed. SP 1 is not. I did more testing. The following are the results:

This problem has not occured on connections for which I am not preserving the client  IP.  NLB has been working  for a web site which the content switch is fronting and connections appear to come from the TMG internal.

I verified NLB is stable (no errors) and went ahead a followed your blog and enable DCOM in the intra-array network. I also edited the hosts file on each TMG so that the FQDN is the intra-IP for each. Servers sync fine.

Each TMG will alllow a connection to the published web site when the other has the NLB service disabled.  Whenever NLB is enabled on each array member, the connection to the internal host times out (408). 

Besides the DIP on the internal for NLB, I have a VIP 10.1.0.146 which is the default route back to the TMG.  Again, this works as long as only one array member is NLB enabled. I have confirmed the traffic using Netmon, and the content switch (published web server) is sending the client traffic to the DIP virtual MAC address.

I have read about the "register DNS" parameter  on the internal NIC needing to be disable, and have done that.

_____________________________

Mark

(in reply to Jason Jones)
Post #: 8
RE: VIP config and/or NLB issue TMG 2010 - 10.Aug.2010 10:50:17 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
I have opened a support ticked with Microsoft. They are looking into the issue.

_____________________________

Mark

(in reply to mjgraves@tisecurity.)
Post #: 9
RE: VIP config and/or NLB issue TMG 2010 - 10.Aug.2010 12:21:52 PM   
dikkehaaj

 

Posts: 20
Joined: 15.Jul.2010
Status: offline
When I go to (2) I do not always see the new VIP in the network connections for the listener. Sometimes it appears, but is listed as being with a specific server, not as a VIP. I can add the VIP while configuring the listener.

I got something familair that sometimes a VIP is assigned/specific to a server and not showing as VIP. The way I resolve this is to config a VIP then close the TMG mmc/interface and restart it. Then I edit the listener and the IP shows correct as VIP.
Other resolution is to refresh the NIC in the TMG mmc/interface.

TMG array with SP1

< Message edited by dikkehaaj -- 10.Aug.2010 12:24:04 PM >

(in reply to mjgraves@tisecurity.)
Post #: 10
RE: VIP config and/or NLB issue TMG 2010 - 25.Aug.2010 10:20:43 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
Sorry for the long delay in replying. Yes, I discovered that as well.

Thank you for the information.



_____________________________

Mark

(in reply to dikkehaaj)
Post #: 11
RE: VIP config and/or NLB issue TMG 2010 - 13.Apr.2012 5:31:40 AM   
mr.kps123

 

Posts: 5
Joined: 13.Apr.2012
Status: offline
Hi

2 TMG Nodes 1 EMG servers configured with 2 Network adapter on each node called ( Internal and Intra-array communication )

When we configured NLB with in TMG using Multicast I am getting error RPC servives unavilable
When we configured NLB with in TMG using unicast I am getting one Error not communciating .

Can you please help on this to get resolved on this issue .

(in reply to mjgraves@tisecurity.)
Post #: 12
RE: VIP config and/or NLB issue TMG 2010 - 22.Apr.2012 10:42:26 PM   
mr.kps123

 

Posts: 5
Joined: 13.Apr.2012
Status: offline
Hi Team
Nice Blog thank us for sharing information about the TMG issue .
We have an issue with NLB getting error ( RPC services unavailable) while join host another array node server
we have 2 TMG nodes and 1 EMS server both 2 nodes have been successfully joined to EMS array ,I am trying to enable NLB for both nodes in TMG console and i have enabled and check the NLB manager the another node has not join to cluster RPC error
As i was go through the comments in the blog NLB manager is not required to manager but when i enabled NLB in TMG console its trying to add using NLB manager and getting error (RPC service )
Workaround :
I disabled RPC filter in Enterprise and system array and get re- solved the RPC error but when i disabled RPC error both nodes getting configuration error in EMS server not sync
could you please provide more details how we need to work with NLB

(in reply to mr.kps123)
Post #: 13
RE: VIP config and/or NLB issue TMG 2010 - 25.Jun.2012 11:11:29 AM   
fstevens

 

Posts: 10
Joined: 7.Dec.2010
Status: offline
quote:

ORIGINAL: mjgraves@tisecurity.

I have opened a support ticked with Microsoft. They are looking into the issue.

Did you ever get an answer to this from Microsoft? I am interested because I believe I have a similar story.

We have two TMG servers in a multicast array. Both in are virtual in VMware. Basically the primay vip works fine but the secondary doesn't work for published sites. Switch primary and secondary ip and then the new primary starts working but again not the original IP when placed as a secondary. Another clue is if I place a client on the same subnet, the secondary vip then works.

Any thoughts?

(in reply to mjgraves@tisecurity.)
Post #: 14
RE: VIP config and/or NLB issue TMG 2010 - 28.Oct.2013 9:31:56 AM   
plastiq

 

Posts: 2
Joined: 17.May2004
Status: offline
Hi!

Anybody knows howto fix this issue?
Every web-publishing rule on my TMG-array works perfect when only one of TMG-server is on.
With both TMG-servers online i get timeouts and other problems when try to access from "external" published web-site.

(in reply to fstevens)
Post #: 15
RE: VIP config and/or NLB issue TMG 2010 - 6.Nov.2013 9:29:42 PM   
isa88

 

Posts: 1
Joined: 6.Nov.2013
Status: offline
Nice post

(in reply to plastiq)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> VIP config and/or NLB issue TMG 2010 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts