Balancing Act: Dual-NIC Configuration with Windows Server 2008 NLB Clusters

Balancing Act: Dual-NIC Configuration with Windows Server 2008 NLB Clusters

  • Comments 10
  • Likes

BALANCING ACT

 image

Dual-NIC NLB Configuration with Windows Server 2008 NLB Clusters

We’ve had a few calls from customers who have run into a particular issue when they’ve deployed NLB on a Windows Server 2008 cluster.  Most of them have had older NLB deployments and thought we made a change to 2008 NLB to cause a problem. The installations with the issue have dual-NIC nodes with the default gateway on the Outbound NIC.  This is the reported behavior:

  • Communication with the cluster IP from a computer on the same subnet works without a problem
  • Communication with the cluster IP from an computer on a different subnet fails
  • If you move the default gateway to the cluster NIC, everything works

What does that look like?

In some cases, you might want to keep your default gateway on a 2nd NIC in order to have all inbound traffic use one interface and outbound traffic use another, as shown in the diagram below:

image

In Windows Server 2003, a packet from the client would route in through the inbound NIC and because the response was not from the same subnet, it would be sent back via the outbound NIC to the default gateway and back to the client.  The problem with the above configuration on a 2008 server is that we disabled IP forwarding by default.  Therefore, when the packet enters the inbound NIC, without a default gateway, it has no way to get off subnet and the packet is dropped.

Does that mean it won’t work in Windows Server 2008?

There is actually a simple change in order to get this to work without putting the default gateway on the cluster NIC.  You need to enable routing using one of the two following methods – via netsh or via the registry:

Via netsh:

  • First, you need to get the name of the Cluster NIC.  This appears in “Network Connections” or, from the command prompt, run the following command:
    • netsh interface show int
  • The output will look like this:
Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        Cluster NIC
  • That will show you the interfaces in the server.  Find the name of the cluster NIC and put it in quotes in the following command:
    • netsh interface ipv4 set interface "Cluster NIC" forwarding=enabled
  • You can confirm that it is changed by running the command:
    • netsh interface ipv4 show interface l=verbose
  • If the look at the output below, you’ll see that Forwarding is now enabled:
Interface Cluster NIC Parameters
----------------------------------------------
IfLuid                             : ethernet_5
IfIndex                            : 10
Compartment Id                     : 1
State                              : connected
Metric                             : 20
Link MTU                           : 1500 bytes
Reachable Time                     : 30000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 3
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection   : enabled
Router Discovery                   : dhcp
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default routes              : disabled

Via the registry

Add the following value:

Key name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value Name: IpEnableRouter 
Data Type: REG_DWORD 
Value: 1  
Be sure to reboot the server for the change to take effect. The netsh command does not require a reboot.

Hopefully, this blog will provide you with a quick fix for your new Server 2008 NLB deployment!

- Michael Rendino and Pete Sullivan

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi Michael, very interesting scenario but, you don't need to activate also the Weak Host Sends to permit the packet from the outgoing NIC to maintain the source IP of the Incoming NIC?

  • Now I have something more than, "trust me, I know what I'm doing" when I run into this again (technet blogs tend to be credible sources for the management types). Also, for the folks who are stuck in the Windows NT 3.51 days, I can show them the registry edit.

  • 203 Microsoft Team blogs searched, 93 blogs have new articles in the past 7 days. 227 new articles found

  • We have tested to configure the forwarding=enabled and that is ok for ping etc. But web clients to the Owa page with ssl notice that the answer is from the wrong NIC. So we set at gateway on the NLB, but what metric should we use?

  • this article http://support.microsoft.com/kb/323339 says 2003 also uses this setting by default, but you are saying 2008 is a change from 2003.  which is it?

  • Hi,

    I are depoying NLB in the same config on Windows 2008. We have enabed forwarding but still the issue exists. I are not able to reach cluster ip (on Inbound) from client subnet.

    Also, if I move the default gateay to cluster NIC (Inbound), still the same problem.

    Would like to highlight that I have enabled forwardig using netsh command and I was able to view it using netsh show interface. However, when i checked in registry "IpEnableRouter" was set to 0, I changed it to 1, rebooted, but still the problem is same.

    Any suggestion. Thanks!

  • Hey Vinit. Is the client IP on a remote subnet? Does the same thing work on a local subnet? If it works locally, it sounds like you're looking at a different issue. Are you running in Unicast or Multicast? If you're in multicast, you may have hit an issue that just got resolved (http://support.microsoft.com/kb/960916) or you may need to add a static arp entry on your router for the cluster IP (http://support.microsoft.com/kb/193602). You may want to take some network captures from both nodes and the remote client to see if the requests from the client are event reaching the cluster.

    Hope that helps!

  • Outstanding blog.... such a frustrating little problem easily fixed with this article!

    My NLB cluster of my Client Access Servers now works externally!

    Thank you!

  • In above scenario, what method you have used ( unicast or Multicast)

  • Excellent article! Solved the problem on our Win2008 R2 NLB Cluster.