Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, June 16, 2014 10:47 PM | 1 vote
I have a two node NLB cluster configured. It all seems to be working fine (I can see requests being directed to both nodes) but soon after config is completed and convergence has taken place I get "host unreachable" errors in NLB manager on both nodes and I can no longer control a remote node in the cluster.
If I turn off the Windows firewall on both nodes in the cluster the errors stop and I can resume controlling remote nodes. This is strange as I have all the automatically created NLB firewall rules present (see below).
Unless I disable the firewalls this is stopping me from taking a node into "drainstop"
Anyone know what firewall rule I need to add to fix this?
Hibs Ya Bass!
All replies (13)
Wednesday, June 18, 2014 9:36 AM
Hi,
Could you tell us when your NLB manager show “host unreachable” error the VIP of NLB can be accessible or not, please confirm you have configured the Port Rules correctly first:
The related KB:
Create a new Network Load Balancing Port Rule
http://technet.microsoft.com/en-us/library/cc733056.aspx
Hope this helps.
Wednesday, June 18, 2014 6:35 PM
What version are you running ? and are the Machines fully patched ? or hanging on a pending reboot ?
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you
Wednesday, June 18, 2014 10:27 PM
I set up the cluster fine and it converged with everything looking OK but the next day when I checked the remote hosts in NLB manager were being reported as unreachable.
Loading balancing is taking place so yes the VIP is accessible.
The port rules are purely for incoming requests to the cluster are they not. They don't have anything to do with communication between the hosts of the cluster.
Wednesday, June 18, 2014 10:35 PM
What version are you running ? and are the Machines fully patched ? or hanging on a pending reboot ?
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you
2008 R2. All patched, no updates pending.
Thursday, June 19, 2014 1:35 PM
Are you using One or two nic's
As you know the best way to do NLB is to use two NIC's one nic is using the LAN for domain traffic and the other is pure NLB so all the NLB traffic is going thru this NIC.
There are several post about ow to create a NLB Network Load Balancing How To...
Or
https://robertsmit.wordpress.com/category/windows-2012-nlb/
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you
Friday, June 20, 2014 1:47 AM
Are you using One or two nic's
As you know the best way to do NLB is to use two NIC's one nic is using the LAN for domain traffic and the other is pure NLB so all the NLB traffic is going thru this NIC.
There are several post about ow to create a NLB Network Load Balancing How To...
Or
https://robertsmit.wordpress.com/category/windows-2012-nlb/
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you
Just the one NIC.
Not having a problem creating the cluster, just administering it after it has been created.
Tuesday, June 24, 2014 1:31 AM
Hi,
Please try to disable apply any GPO to this servers and confirm when the problem occur the network location profile is correct or not, maybe is the known issue in kb2524478.
The related KB:
The network location profile changes from "Domain" to "Public" in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2524478/en-us
Hope this helps.
Thursday, June 26, 2014 1:13 AM
Hi,
Please try to disable apply any GPO to this servers and confirm when the problem occur the network location profile is correct or not, maybe is the known issue in kb2524478.
The related KB:
The network location profile changes from "Domain" to "Public" in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2524478/en-us
Hope this helps.
These servers aren't on a domain. They are on a DMZ and stand alone.
Thursday, June 26, 2014 7:51 AM
Hi,
That is why you should use two nic's , then you could easy manage the node 1 by connecting the non NLB IP and leave the NLB as NLB network. Using NLB with only one nic makes it less flexible.
The NLB listen only to it VIP address so you will need to create listenen ports on the VIP.
Go with the two nic scenario way better and easier !
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you
Thursday, June 26, 2014 11:00 PM
Hi,
That is why you should use two nic's , then you could easy manage the node 1 by connecting the non NLB IP and leave the NLB as NLB network. Using NLB with only one nic makes it less flexible.
The NLB listen only to it VIP address so you will need to create listenen ports on the VIP.
Go with the two nic scenario way better and easier !
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you
Still doesn't really explain why everything works with the FW down but as soon as I enable the FW I can not longer administer the cluster.
Friday, June 27, 2014 5:56 AM
You will need to make FW rules for the NLB VIP address and for Both Local Adresses if you don't then all will fail.
That is an extra reason to have multiple NIC's
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you
Tuesday, July 1, 2014 6:47 AM
You will need to make FW rules for the NLB VIP address and for Both Local Adresses if you don't then all will fail.
That is an extra reason to have multiple NIC's
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you
I've done that too. I even created a rule which allowed all ports between the range 10.x.x.10 and 10.x.x.12 (both equates to both local addresses and the VIP) and that still didn't work.
Monday, September 29, 2014 9:53 AM
Hi,
Best way to do NLB is having Two nic's One for the NLB and On for the Lan.
Firewall rules can be set and the server is beter to control this way.
Greetings, Robert Smit Follow me @clustermvp http://robertsmit.wordpress.com/ “Please click "Vote As Helpful" if it is helpful for you and Proposed As Answer” Please remember to click “Mark as Answer” on the post that helps you