VPN client on NLB cluster

I have two Win2k3 Terminal Severs that are clustered using Windows NLB. Each server has a single NIC in it, so the NLB is using multicast mode.

I need to install the Cisco VPN client on the servers (for a specific application).

When I install the VPN software it breaks the NL cluster. I can understand why it does this, but that doesn't help me fix it.

I am looking for possible solutions ?
LVL 13
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
You mention; "I can understand why it does this", so you are probably aware that by default the Cisco client, for security reasons, blocks all traffic with other PC/servers on the same LAN, creating a tunnel only allowing traffic between it and the Cisco VPN router. The way to resolve this is to enable split-tunneling, but it can only be done by the Cisco admin, in the VPN configuration of the router.
Sorry I am not a Cisco guy, and cannot help with the actual configuration. You may want to post a question or link in the Cisco forum. Or, if if you are not thee Cisco administrator, contact them and see if they are willing to do so. Also, if both terminal servers will need to use the Cisco client at the same time, from the same public IP, they will also have to configure NAT-T on the Cisco router.
Without getting into why you have the VPN client on the server (it would help to know but maybe not required knowledge), I would say the easiest route is to add a nic to each server on a separate subnet and route the Cisco VPN client traffic out that extra NIC.
td_milesAuthor Commented:
To answer the questions:

RobWill - I'm aware of split tunneling. The issue is that the VPN client blocks the NLB cluster from working just when you install it, without connecting to any tunnels.

TheCleaner - I can elaborate. It's an accounting firm. They run a TS environment and the method for submitting stuff to certain govt sites is via the VPN client. This isn't a manual process, the accounting software uses the VPN client to automate the submission. If I install an extra NIC, do you know if there is any way of telling the Cisco VPN client to only use ONE of the NICs. It's been a while since I bothered to read the screens on the installer as I clicked "next", but I don't recall any option to bind to only one NIC ?

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Rob WilliamsCommented:
>>"when you install it, without connecting to any tunnels"
I have had similar problems, but with only some services. I was able to resolve by right clicking on the Cisco icon in the lower right and un-checking "statefull firewall always on". Worth a try.
td_milesAuthor Commented:
I'll try it. Thanks.
In regards to the routing.  You can add static routes in your local OS routing table telling it to route traffic bound for those remote institutions using the VPN out the new NIC.

I'm honestly not sure on this though if you say it breaks the NLB cluster during install.

Is it possible to open a case with Cisco on this?
td_milesAuthor Commented:
I'm fairly sure Cisco will say that it's not supported on a NLB cluster.
I'm also fairly sure MS will say that installing VPN client on NLB is not supported either.

This is why I'm asking here instead of following up normal/formal support methods.
Well, according to this other EE question, someone else called Cisco on an NLB issue and it was resolved by altering the MTU size to account for the packet overhead.

One way you can tell if the MTU size is too large by default would be to:

ping address -l 1500 -f

If you get "packet needs to be fragmented" then change 1500 to 1480, then 1460, etc. in increments of 20 until it no longer gets fragmented.  That would give you a good indication of proper MTU size.

Also found an online article that said:

The other NLB mode is multicast mode. Microsoft would prefer to set the default mode to multicast, but there are problems because certain Cisco devices dont allow multicast MAC addresses to be associated with a unicast IP address and the Cisco device will not insert a multicast MAC address its ARP table if its associated with a unicast IP address.

and here:  http://technet2.microsoft.com/windowsserver/en/library/597848c1-3ab4-4ade-80f2-b54bb33be5c11033.mspx?mfr=true

"Some routers require a static ARP entry because they do not support the resolution of unicast IP addresses to multicast media access control addresses. For example, Cisco routers require an ARP (address resolution protocol) entry for every virtual IP address. While Network Load Balancing uses Level 2 Multicast for the delivery of packets, Cisco's interpretation of the RFCs is that Multicast is for IP Multicast. So, when the router doesn't see a Multicast IP address, it does not automatically create an ARP entry, and one has to manually have to add it on the router."

So, according to that you can probably call Cisco, but it seems like your options could be to create a static ARP entry for the multicast address (which would mean it will probably need one for the default cluster and one for the address it gets over the VPN client tunnel), or switch to unicast mode.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
td_milesAuthor Commented:
Time to put this one in the "too hard basket" and move on with life. Thanks to you both for your help, if you have no objections I'll divide the points up between the two of you.
Rob WilliamsCommented:
:-)  No objections.
Cheers !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.