Dual-NIC NLB Configuration with Windows Server 2008 NLB Clusters
We’ve had a few calls from customers who have run into a particular issue when they’ve deployed NLB on a Windows Server 2008 cluster. Most of them have had older NLB deployments and thought we made a change to 2008 NLB to cause a problem. The installations with the issue have dual-NIC nodes with the default gateway on the Outbound NIC. This is the reported behavior:
What does that look like?
In some cases, you might want to keep your default gateway on a 2nd NIC in order to have all inbound traffic use one interface and outbound traffic use another, as shown in the diagram below:
In Windows Server 2003, a packet from the client would route in through the inbound NIC and because the response was not from the same subnet, it would be sent back via the outbound NIC to the default gateway and back to the client. The problem with the above configuration on a 2008 server is that we disabled IP forwarding by default. Therefore, when the packet enters the inbound NIC, without a default gateway, it has no way to get off subnet and the packet is dropped.
Does that mean it won’t work in Windows Server 2008?
There is actually a simple change in order to get this to work without putting the default gateway on the cluster NIC. You need to enable routing using one of the two following methods – via netsh or via the registry:
Admin State State Type Interface Name
Enabled Connected Dedicated Cluster NIC
Interface Cluster NIC Parameters
IfLuid : ethernet_5
IfIndex : 10
Compartment Id : 1
State : connected
Metric : 20
Link MTU : 1500 bytes
Reachable Time : 30000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 3
Site Prefix Length : 64
Site Id : 1
Forwarding : enabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : dhcp
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default routes : disabled
Via the registry
Add the following value:
Key name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value Name: IpEnableRouter
Data Type: REG_DWORD
Hopefully, this blog will provide you with a quick fix for your new Server 2008 NLB deployment!
- Michael Rendino and Pete Sullivan
Hi Michael, very interesting scenario but, you don't need to activate also the Weak Host Sends to permit the packet from the outgoing NIC to maintain the source IP of the Incoming NIC?
Now I have something more than, "trust me, I know what I'm doing" when I run into this again (technet blogs tend to be credible sources for the management types). Also, for the folks who are stuck in the Windows NT 3.51 days, I can show them the registry edit.
203 Microsoft Team blogs searched, 93 blogs have new articles in the past 7 days. 227 new articles found
We have tested to configure the forwarding=enabled and that is ok for ping etc. But web clients to the Owa page with ssl notice that the answer is from the wrong NIC. So we set at gateway on the NLB, but what metric should we use?
this article http://support.microsoft.com/kb/323339 says 2003 also uses this setting by default, but you are saying 2008 is a change from 2003. which is it?
I are depoying NLB in the same config on Windows 2008. We have enabed forwarding but still the issue exists. I are not able to reach cluster ip (on Inbound) from client subnet.
Also, if I move the default gateay to cluster NIC (Inbound), still the same problem.
Would like to highlight that I have enabled forwardig using netsh command and I was able to view it using netsh show interface. However, when i checked in registry "IpEnableRouter" was set to 0, I changed it to 1, rebooted, but still the problem is same.
Any suggestion. Thanks!
Hey Vinit. Is the client IP on a remote subnet? Does the same thing work on a local subnet? If it works locally, it sounds like you're looking at a different issue. Are you running in Unicast or Multicast? If you're in multicast, you may have hit an issue that just got resolved (http://support.microsoft.com/kb/960916) or you may need to add a static arp entry on your router for the cluster IP (http://support.microsoft.com/kb/193602). You may want to take some network captures from both nodes and the remote client to see if the requests from the client are event reaching the cluster.
Hope that helps!
Outstanding blog.... such a frustrating little problem easily fixed with this article!
My NLB cluster of my Client Access Servers now works externally!
In above scenario, what method you have used ( unicast or Multicast)
Excellent article! Solved the problem on our Win2008 R2 NLB Cluster.