• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

NLB on external NIC

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> NLB on external NIC Page: [1]
Login
Message << Older Topic   Newer Topic >>
NLB on external NIC - 23.Nov.2010 7:02:38 AM   
parseint

 

Posts: 12
Joined: 28.Sep.2010
Status: offline
Hi,

I have 2 TMG servers up and running performing reverse proxy for a couple of internal web sites. They have an Internal NIC and External NIC. Only External NIC has default gateway and only Internal NIC has DNS entries. I created my publishing rules and a standalone array and everything is working fine until I try to enable NLB. I want to to enable NLB to ensure that if one of the servers goes down, network connectivity will remain in place. As soon as I enable NLB, I lose access to my web servers from outside? I've waited a while, tried unicast and multicast and I've even tried connecting the TMG servers external NIC's to a hub and then connecting the hub to the switch. Nothing works. What could I possibly be doing wrong?

If i look in the logs when i try to access the site it says it accepts the connection, but when trying to telnet to the server from the outside on port 80 it doesn't work. So somehow it's not getting an 'answer' back.
Post #: 1
RE: NLB on external NIC - 23.Nov.2010 8:05:01 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

have you enabled NLB on both, internal and external interfaces?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to parseint)
Post #: 2
RE: NLB on external NIC - 24.Nov.2010 7:41:34 AM   
parseint

 

Posts: 12
Joined: 28.Sep.2010
Status: offline
Yes, I have enabled on both.

If i use wireshark on the webserver that i publish, i see that the traffic arrives fine, but when returning the traffic it says "Bad checkdum" something. I'm not sure if this is related or expected behaviour. I've also tried using different virtual ip's without success. The servers are Dell servers with Broadcom nics. I've updated to the newest broadcom drivers and i've tried disabling all of the offload,receive scaling etc without success.

For the webserver i publish (this is an internal server), the default gateway should be set to the VIP of the internal load balanced network right?

On both of the tmgs, i've got a gateway on the external card and no dns entries, and on the internal i dont have a gateway but dns entris. This seems to be the best practice. Is this correct setup with NLB? I'm also not able to connect to vpn to the VIP when i use NLB, same error, traffic arrives at TMG logs, but i never get anything back. Connection to the DIP works fine. It seems to me it might be a routing problem or something?

I've installed SP1 and both update1 and update2 on both TMGs. The servers are Win 2008 R2 Datacenter.

One of the TMG's are a hyperv guest and i've enabled spoofing on all nics.

Another curiousity is that if i enable unicast im not even able to connect to the VIP using VPN. This works fine as i said above when using Multicast.

Is there any way i can see where the traffic is 'stopped/dropped'? Since clearly it arrives at the TMG but never returns or something.

(in reply to paulo.oliveira)
Post #: 3
RE: NLB on external NIC - 24.Nov.2010 9:16:37 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Similar NLB problems with broadcom NICs...just a thought!

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/ac2eba08-5915-4150-9c14-289840bb7c99/?prof=required

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to parseint)
Post #: 4
RE: NLB on external NIC - 24.Nov.2010 9:26:06 AM   
parseint

 

Posts: 12
Joined: 28.Sep.2010
Status: offline
Yeah i've actually read that post beforehand, however, i've tried updating the nics, disabling everything etc, but the problem isn't that nlb wont start though, it starts fine and everything seems to be in order, but it's not :)

Any suggestions on how i can troubleshoot on where the packets 'stop'? Since they are arriving to the TMG fine.

(in reply to Jason Jones)
Post #: 5
RE: NLB on external NIC - 24.Nov.2010 9:37:36 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
It sounds like layer 2 problems to me, so you are into netmon/wireshark teritory really

Have you actually tried different vendor NICs?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to parseint)
Post #: 6
RE: NLB on external NIC - 24.Nov.2010 9:40:30 AM   
parseint

 

Posts: 12
Joined: 28.Sep.2010
Status: offline
No haven't had the time to do that yet, have to order a couple of new ones to test. What should i look for in wireshark?

(in reply to Jason Jones)
Post #: 7
RE: NLB on external NIC - 24.Nov.2010 10:43:50 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Just noticed your comment about "bad checksum"...I don't think this is normal.

Your testing with the hub device should rule out most of the normal NLB problems...when using the hub, did you set the MaskSourceMAC key as discussed here: http://support.microsoft.com/kb/193602/EN-US/

You seem to have checked a lot else, so swapping the NICs is a good thing to try (albeit painful!)

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to parseint)
Post #: 8
RE: NLB on external NIC - 25.Nov.2010 4:14:10 AM   
mnie

 

Posts: 50
Joined: 9.Oct.2008
Status: offline
It really depends on what you're trying to accomplish with NLB.


If you want to publish websites only, you should only be enabling NLB on the external interface, and set your publishing rules to mark the TMG as the source of all requests. Otherwise packets go in one way and come out another way, which is not good.

Any stateful firewall will throw away the packets, or if there is no firewall, they'll be tossed away by the operating system. It's quite intended behavior.

If your TMG array is the default gateway as well, NLB needs to be enabled on both internal and external interfaces, however something you need to take into account is that in a unicast scenario, you need to have a third NIC in both machines on a seperate network, allowing them to communicate with eachother. This is not necessary with multicast.

< Message edited by mnie -- 25.Nov.2010 4:18:27 AM >

(in reply to parseint)
Post #: 9
RE: NLB on external NIC - 25.Nov.2010 5:06:30 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: mnie

It really depends on what you're trying to accomplish with NLB.


If you want to publish websites only, you should only be enabling NLB on the external interface, and set your publishing rules to mark the TMG as the source of all requests. Otherwise packets go in one way and come out another way, which is not good.

Any stateful firewall will throw away the packets, or if there is no firewall, they'll be tossed away by the operating system. It's quite intended behavior.

If your TMG array is the default gateway as well, NLB needs to be enabled on both internal and external interfaces, however something you need to take into account is that in a unicast scenario, you need to have a third NIC in both machines on a seperate network, allowing them to communicate with eachother. This is not necessary with multicast.


Good info, but although an intra-array NIC/network is recommended it is not mandatory when using TMG with unicast NLB.

Even with ISA Server 2006 and Win2k3 it was possible to use unicast without a dedicated intra-array NIC: http://support.microsoft.com/kb/898867

Cheers

JJ


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mnie)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> NLB on external NIC Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts