locked
NLB configuration problem RRS feed

  • Question

  • Hi,

    I desperately try to get NLB running for a 2 node Array (UAG Update-2, TMG SP1, Update-1). I always get Events 21215 ("An inconsistency in the Network Load Balancing (NLB) configuration may result in inconsistent handling of traffic ...") & 21107 ("The firewall service failed to apply the Network Load Balancing (NLB) configuration on the local computer.").

    Two questions:

    1) Is NLB needed on the internal NIC, when SSTP and/or Network Connector (aka SSL Network Tunneling) is used?

    2) Could there be a problem with VLAN Tagging (http://support.microsoft.com/kb/912943)? VLAN Tagging is not used via the NIC driver but on the switch/firewall

    Are there any more debug possibilites or ways to remove the NLB configuration and start from scratch?

    Best regards

    Thomas

    Monday, November 15, 2010 3:42 PM

Answers

  • Hi,

    hm, it works now!

    I first removed the array member server again from the array and dit not import any configuration (as I have the suspicion that using the same IP for testing the portal as the VIP did cause the problem in the first place). Then on the array master I used the ConfMgrUtil with -del - to delete any potential "corrupt" configuration (the TMG config and all customizations were not deleted btw). After that I re-joined the array member server to the array and configured NLB as normal - everything worked like a charm (I only had to resume NLB on the master because it was suspended - kinda strange).

    VLAN tagging on the switch does obviously not cause any problems when using NLB.

    Best regards

    Thomas

    • Marked as answer by Thomas Wendler Tuesday, November 16, 2010 1:26 PM
    Tuesday, November 16, 2010 1:12 PM

All replies

  • A1: To my knowledge, NLB is only supported on the internal interface with UAG when using DirectAccess; consequently I would say no. 

    A2: NLB and VLAN tagging on the same NIC are normally mutually exclusive. You will often need to configure a port based VLAN rather than a trunked connection to the switch, but it sounds like you are not doing it this way. The error you describe is pretty common for an a NIC style conflict when applying NLB. Are you using NIC teaming at all? 

    Cheers

    JJ 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, November 15, 2010 3:57 PM
  • Hi Jason,

    yes regarding internal NLB I have the same opinion (I did not find any clear statement though). Regarding VLAN tagging: the customer is using VLAN tagging on the switch port (despite there is only one VLAN connectecd). The article speaks of using VLAN tagging via the NIC driver (that is not the case). The funny thing is that NLB did definitely work on the array master. After I did some testing (manual configuration of NLB via the NLB configuration tool and importing old configs) it shows the same symptoms though. I also have the strong feeling that the problem was originially by using the VIP as a DIP on the second server for testing (although I did run the UAG network wizard afterwards) and also importing this config into the array master (in order to migrate the working configuration into the array). Probably the VIP addresses are still there in some configuration settings (i.e. registry). Maye we will do a clean install tomorrow and also try to de-activate VLAN tagging.

    Best regards

    Thomas

    Monday, November 15, 2010 6:47 PM
  • Hi Jason,

    yes regarding internal NLB I have the same opinion (I did not find any clear statement though). 

    Thomas

    Hi Thomas,

    Here's the statement about NLB not being supported on the internal network, for UAG trunks (meaning that NLB on internal network is only supported for DA):

    Configuring NLB for a Forefront UAG array

      The following procedure describes how to add VIPs to networks. Note that when you set up NLB to load balance traffic to Forefront UAG trunks, you can configure a VIP on the external network only. Configuring VIPs on the internal network is not supported.

    Regards,


    -Ran
    Monday, November 15, 2010 7:53 PM
  • Hi Jason,

    yes regarding internal NLB I have the same opinion (I did not find any clear statement though). Regarding VLAN tagging: the customer is using VLAN tagging on the switch port (despite there is only one VLAN connectecd). The article speaks of using VLAN tagging via the NIC driver (that is not the case). The funny thing is that NLB did definitely work on the array master. After I did some testing (manual configuration of NLB via the NLB configuration tool and importing old configs) it shows the same symptoms though. I also have the strong feeling that the problem was originially by using the VIP as a DIP on the second server for testing (although I did run the UAG network wizard afterwards) and also importing this config into the array master (in order to migrate the working configuration into the array). Probably the VIP addresses are still there in some configuration settings (i.e. registry). Maye we will do a clean install tomorrow and also try to de-activate VLAN tagging.

    Best regards

    Thomas


    Sounds like a good idea, and rules it out quickly ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 16, 2010 12:48 AM
  • Hi,

    hm, it works now!

    I first removed the array member server again from the array and dit not import any configuration (as I have the suspicion that using the same IP for testing the portal as the VIP did cause the problem in the first place). Then on the array master I used the ConfMgrUtil with -del - to delete any potential "corrupt" configuration (the TMG config and all customizations were not deleted btw). After that I re-joined the array member server to the array and configured NLB as normal - everything worked like a charm (I only had to resume NLB on the master because it was suspended - kinda strange).

    VLAN tagging on the switch does obviously not cause any problems when using NLB.

    Best regards

    Thomas

    • Marked as answer by Thomas Wendler Tuesday, November 16, 2010 1:26 PM
    Tuesday, November 16, 2010 1:12 PM
  • Good stuff, it's always satifying solving your own problems ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 16, 2010 2:37 PM