Announcement

Collapse
No announcement yet.

ISA Migration standard to Cluster

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ISA Migration standard to Cluster

    Hi,

    I'm currently busy to setup an ISA cluster enviroment.

    We've installed the CSS on a DC. We installed a newly machine with Windows 2003 SP1 and ISA 2004 enterprise SP2. So far so good.

    After some testing we're able to go to the internet, and we're able to access owa from external and VPN. Well everything works fine to me.

    But however, because this must become a cluster, we needed to setup NLB onto the internal and exteral interfaces.

    We wanted to start with the internal interface. We setup NLB which didn't gave any issues. But, when we started to testing we saw the following:

    IE With proxyserver didn't gave any problems. Everything works fine. All external sites are accessable.
    IE Without Proxy gave problems. According the logging from ISA we saw the following error: 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
    Sounds to me that there's going something wrong with the NLB or with any ARP table.

    Tonight i will flush de routers ARP table, and start a netmon. Also i will try to change the default gateway from a testmachine to the ISA server instead of the cisco router. Futher i will try to setup multicast NLB instead of unicast.

    NLB is setup in unicast mode, and the switches are some kind of dell layer 2 switches.

    Edit: i know that using a hub is supported by microsoft, but we've ask it a while ago and the response was:
    In terms of NLB this is not really an ISA question but you are right and there are a number of issues with NLB and switches. One problem with NLB and switches is with layer 3 switches due to the way layer 3 switches learn IP addresses as in an NLB cluster all hosts share a common IP address. However, layer 2 switches may also run into issues due to MAC address learning. This can be resolved using MaskSourceMAC. Both of these are discussed in the following KB article. Configuration options for WLBS hosts connected to layer 2 switches
    (193602) - If you connect Network Load Balancing hosts with a switch, the switch must be layer 2 instead of layer 3 or higher, because all the hosts share the same IP address (the cluster IP address), and layer 3 switches direct network ...
    http://support.microsoft.com/kb/193602/en-us

    So, you should be OK with a layer 2 switch but using a hub would eliminate switch related issues.

    So, in the meanwhile anyone has a clue let me know.
    Last edited by Dumber; 29th August 2006, 12:34.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"


  • #2
    Re: ISA Migration standard to Cluster

    Originally posted by Dumber
    Tonight i will flush de routers ARP table, and start a netmon. Also i will try to change the default gateway from a testmachine to the ISA server instead of the cisco router. Futher i will try to setup multicast NLB instead of unicast.
    Well it won't be tonight. I can't reach any of our customers so problably there are some activities on our network.

    time for some
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: ISA Migration standard to Cluster

      Update:

      Today, i wanted to start making sniffer tracers with netmon. Suddenly everything worked after setting up nlb
      I don't know why it works suddenly, however i really don't like it.
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: ISA Migration standard to Cluster

        New Update.

        ISA runs great on 1 node with NLB enabled, also adding a second node works well.
        However, when i open the NLB manager, he cannot find the other node.
        Error: Could not locate NLB on the specified computer, error connecting <servername>
        anyone got a clue?
        Last edited by Dumber; 6th October 2006, 09:46.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: ISA Migration standard to Cluster

          Update:

          The monitoring shows me that he killes RPC from the Allow intra-Array Communication.
          Source: internal - Destination: Localhost.

          now i'm start thinking. Because of SP1 for windows 2003 you don't need the Intra-Array network anymore, cause can do this over you're lan adapter. Hmmmm I've a look at tonight.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: ISA Migration standard to Cluster

            I read somewhere (doen't know where anymore) that when SP1 is installed, you won't need an extra interface for Intra-array. Can anyone second that?
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: ISA Migration standard to Cluster

              Well, wew finished it finally.
              Last Saterday was our last working day.

              We did it as followed:

              ISA cluster in a seperate vlan with a seperate ip range. And we've created an Intra-Array.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: ISA Migration standard to Cluster

                Well done. Have a !!!! or
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: ISA Migration standard to Cluster

                  It was hard working
                  friday, i've worked until 11:45 PM, and Saturdag till 9:00 pm.
                  Both days i started at 8:00 AM.

                  I've also founded a strange bug within ISA. When i can simulate it into a test enviroment, i will post it back. If I can simulate it, I will report it to Microsoft problably.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment

                  Working...
                  X