Hello Everyone,
This is my first post however definitely not the last.
I am somewhat confused about NLB clustering on Windows 2003 and not sure if my design is appropriate. Everything is somewhat working but I was hoping someone could provide some advice or suggestions as I am very new to NLB.
Setup:
Firewall (FW Redirects all HTTP and UDP to NLB Shared VIP)
|
|
=====Cisco 2960=====
| | |
| | |
| | UDP_Server
| IIS_2
IIS_1
Clients make HTTP and UDP requests to the Firewall’s external IP. This traffic in turn gets redirected to the NLB VIP which is shared by the three hosts. All HTTP traffic being sent to the VIP needs to be distributed equally to the two IIS servers and all UDP traffic needs to go to the UDP server (hoping to change this).
I have opted to use Multiple Host Filtering with Single affinity selected. Instead of sharing the rules between all hosts, I read that you can uncheck the all box on each NLB server config and hard code rules to the server’s VIP.
IIS_1 and IIS_2 have the same port rule configs hardcoded.
[1. 0% load for UDP, 2. 50% load for HTTP]
The UDP server has two different rules.
[1. 0% load set for HTTP and 2. 100% load set for UDP]
I have read somewhere that different rules are bad only when they are shared amongst servers using the all box. Can someone validate this for me?
NLB did not complain about the configs on any of the servers and all have converged through unicast.
I’ve noticed though from time to time if I fail IIS on one of the servers, clients are unable to access files and don’t attempt to retrieve them from the other IIS server.
A wireshark capture from the client side shows TCP messages with the IP of firewall with the RST Flag set.
My feelings are that connections are trying to be restored to the same host due to NLB’s affinity when using the “Single” options with “Multiple host” filtering.
When I turn IIS back on, the capture shows the client re-establishing the communication and downloads the file once again. From what I understand, affinity forces connection to go back to the same host which is what I'm seeing here.
Have I made a mistake with my rules? I think this might be the case... NLB setup if fairly simple so it almost seems that the servers are not communicating properly between themselves and telling the other its IIS faulted.
I also plan to make the following changes if the powers at be allow me.
My first change is to take the UDP Server out of the NLB cluster and have the firewall do the redirection of traffic. The second one is to move the heartbeat to its own LAN.
Any help would be much appreciated as I don’t know what to do at this point. I have read so many books and searched hours online without finding the answer. My work is under pressure and I need to bust my butt to resolve it. 22hrs of work over the weekend and still going strong.. Almost there, just need to get over the last hurdle.
Please let me know if you need clarification on any of the above.
Thanks in advance.
Evan
(CCNA, CCDA, CCNP[Expired])
This is my first post however definitely not the last.
I am somewhat confused about NLB clustering on Windows 2003 and not sure if my design is appropriate. Everything is somewhat working but I was hoping someone could provide some advice or suggestions as I am very new to NLB.
Setup:
Firewall (FW Redirects all HTTP and UDP to NLB Shared VIP)
|
|
=====Cisco 2960=====
| | |
| | |
| | UDP_Server
| IIS_2
IIS_1
Clients make HTTP and UDP requests to the Firewall’s external IP. This traffic in turn gets redirected to the NLB VIP which is shared by the three hosts. All HTTP traffic being sent to the VIP needs to be distributed equally to the two IIS servers and all UDP traffic needs to go to the UDP server (hoping to change this).
I have opted to use Multiple Host Filtering with Single affinity selected. Instead of sharing the rules between all hosts, I read that you can uncheck the all box on each NLB server config and hard code rules to the server’s VIP.
IIS_1 and IIS_2 have the same port rule configs hardcoded.
[1. 0% load for UDP, 2. 50% load for HTTP]
The UDP server has two different rules.
[1. 0% load set for HTTP and 2. 100% load set for UDP]
I have read somewhere that different rules are bad only when they are shared amongst servers using the all box. Can someone validate this for me?
NLB did not complain about the configs on any of the servers and all have converged through unicast.
I’ve noticed though from time to time if I fail IIS on one of the servers, clients are unable to access files and don’t attempt to retrieve them from the other IIS server.
A wireshark capture from the client side shows TCP messages with the IP of firewall with the RST Flag set.
My feelings are that connections are trying to be restored to the same host due to NLB’s affinity when using the “Single” options with “Multiple host” filtering.
When I turn IIS back on, the capture shows the client re-establishing the communication and downloads the file once again. From what I understand, affinity forces connection to go back to the same host which is what I'm seeing here.
Have I made a mistake with my rules? I think this might be the case... NLB setup if fairly simple so it almost seems that the servers are not communicating properly between themselves and telling the other its IIS faulted.
I also plan to make the following changes if the powers at be allow me.
My first change is to take the UDP Server out of the NLB cluster and have the firewall do the redirection of traffic. The second one is to move the heartbeat to its own LAN.
Any help would be much appreciated as I don’t know what to do at this point. I have read so many books and searched hours online without finding the answer. My work is under pressure and I need to bust my butt to resolve it. 22hrs of work over the weekend and still going strong.. Almost there, just need to get over the last hurdle.
Please let me know if you need clarification on any of the above.
Thanks in advance.
Evan
(CCNA, CCDA, CCNP[Expired])
