NLB Firewall Issue?

NLB Firewall Issue?

am 01.06.2007 17:56:19 von nathands

I am running the Microsoft Network Load Balancer on a webfarm with 4
servers. The nodes are configured using multicast and I verified they
can be accessed both inside and outside the firewall (Cisco PIX 515
running 6.3(3)). The issue I am having is that when I test the
failover by shutting down one of the servers I notice that inside the
firewall I am still able to access the webfarm but outside I get a
"page cannot be displayed". I narrowed it down to notice that server
#2 is the only one the firewall sees. If that server is down, I am
unable to ping the virtual IP of the webfarm, but inside the firewall
I am still able to access the webpage when server #2 is down. The only
only ports I am forwarding through the firewall are ports 80 and 443,
are they any additional ports that need to be opened for the
multicasting to work correctly?

Any suggestions are appreicated.

Re: NLB Firewall Issue?

am 01.06.2007 20:43:11 von Burkhard Ott

Am Fri, 01 Jun 2007 15:56:19 +0000 schrieb nathands:

> I am running the Microsoft Network Load Balancer on a webfarm with 4

I never heard about that

> servers. The nodes are configured using multicast and I verified they
> can be accessed both inside and outside the firewall (Cisco PIX 515
> running 6.3(3)). The issue I am having is that when I test the
> failover by shutting down one of the servers I notice that inside the
> firewall I am still able to access the webfarm but outside I get a
> "page cannot be displayed". I narrowed it down to notice that server

is there an option to check access on port 80, if so watch in the
webserverlogs that the check succeed.

> #2 is the only one the firewall sees. If that server is down, I am
> unable to ping the virtual IP of the webfarm, but inside the firewall
> I am still able to access the webpage when server #2 is down. The only
> only ports I am forwarding through the firewall are ports 80 and 443,
> are they any additional ports that need to be opened for the
> multicasting to work correctly?

How works your lb, nat,round-robin, DNS, routed?
It sounds that the webserver itself doesn't answer to the multicast and
the lb should learn that somebody is down, please write more informations.

cheers

Re: NLB Firewall Issue?

am 01.06.2007 21:35:07 von ela

On Jun 1, 6:56 pm, natha...@gmail.com wrote:
> I am running the Microsoft Network Load Balancer on a webfarm with 4
> servers. The nodes are configured using multicast and I verified they
> can be accessed both inside and outside the firewall (Cisco PIX 515
>

what does the "show arp web.farm.ip.addr" (on the pix) show ?
does it show the multicast address that is configured on the NLB?

what do the switches that are connected to the pix show for the above
MAC address? (in their mac tables)
do you have IGMP snooping enabled for this vlan?
I think NLB works in a strange way by "instructing" (either by using
multicast or by doing a tricky manipulation of the arp tables) the
switches to flood the packets destined to the cluster IP address to
the whole VLAN.
you could try connecting the PIX with the NLB machines via a hub and
check if the setup is working properly. If it works the problem is
probably on the switch.

--John