NLB Firewall Issue?

I am running the Microsoft Network Load Balancer on a webfarm with 4 servers. The nodes are configured using multicast and I verified they can be accessed both inside and outside the firewall (Cisco PIX 515 running 6.3(3)). The issue I am having is that when I test the failover by shutting down one of the servers I notice that inside the firewall I am still able to access the webfarm but outside I get a "page cannot be displayed". I narrowed it down to notice that server #2 is the only one the firewall sees. If that server is down, I am unable to ping the virtual IP of the webfarm, but inside the firewall I am still able to access the webpage when server #2 is down. The only only ports I am forwarding through the firewall are ports 80 and 443, are they any additional ports that need to be opened for the multicasting to work correctly?

Any suggestions are appreicated.

Reply to
nathands
Loading thread data ...

Am Fri, 01 Jun 2007 15:56:19 +0000 schrieb nathands:

I never heard about that

is there an option to check access on port 80, if so watch in the webserverlogs that the check succeed.

How works your lb, nat,round-robin, DNS, routed? It sounds that the webserver itself doesn't answer to the multicast and the lb should learn that somebody is down, please write more informations.

cheers

Reply to
Burkhard Ott

what does the "show arp web.farm.ip.addr" (on the pix) show ? does it show the multicast address that is configured on the NLB?

what do the switches that are connected to the pix show for the above MAC address? (in their mac tables) do you have IGMP snooping enabled for this vlan? I think NLB works in a strange way by "instructing" (either by using multicast or by doing a tricky manipulation of the arp tables) the switches to flood the packets destined to the cluster IP address to the whole VLAN. you could try connecting the PIX with the NLB machines via a hub and check if the setup is working properly. If it works the problem is probably on the switch.

--John

Reply to
ela

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.