?
Solved

VPN client on NLB cluster

Posted on 2008-02-05
10
Medium Priority
?
1,175 Views
Last Modified: 2013-11-21
I have two Win2k3 Terminal Severs that are clustered using Windows NLB. Each server has a single NIC in it, so the NLB is using multicast mode.

I need to install the Cisco VPN client on the servers (for a specific application).

When I install the VPN software it breaks the NL cluster. I can understand why it does this, but that doesn't help me fix it.

I am looking for possible solutions ?
0
Comment
Question by:td_miles
  • 4
  • 3
  • 3
10 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20840941
You mention; "I can understand why it does this", so you are probably aware that by default the Cisco client, for security reasons, blocks all traffic with other PC/servers on the same LAN, creating a tunnel only allowing traffic between it and the Cisco VPN router. The way to resolve this is to enable split-tunneling, but it can only be done by the Cisco admin, in the VPN configuration of the router.
Sorry I am not a Cisco guy, and cannot help with the actual configuration. You may want to post a question or link in the Cisco forum. Or, if if you are not thee Cisco administrator, contact them and see if they are willing to do so. Also, if both terminal servers will need to use the Cisco client at the same time, from the same public IP, they will also have to configure NAT-T on the Cisco router.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 20840972
Without getting into why you have the VPN client on the server (it would help to know but maybe not required knowledge), I would say the easiest route is to add a nic to each server on a separate subnet and route the Cisco VPN client traffic out that extra NIC.
0
 
LVL 13

Author Comment

by:td_miles
ID: 20845118
To answer the questions:

RobWill - I'm aware of split tunneling. The issue is that the VPN client blocks the NLB cluster from working just when you install it, without connecting to any tunnels.

TheCleaner - I can elaborate. It's an accounting firm. They run a TS environment and the method for submitting stuff to certain govt sites is via the VPN client. This isn't a manual process, the accounting software uses the VPN client to automate the submission. If I install an extra NIC, do you know if there is any way of telling the Cisco VPN client to only use ONE of the NICs. It's been a while since I bothered to read the screens on the installer as I clicked "next", but I don't recall any option to bind to only one NIC ?

Thanks.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 78

Expert Comment

by:Rob Williams
ID: 20845299
>>"when you install it, without connecting to any tunnels"
I have had similar problems, but with only some services. I was able to resolve by right clicking on the Cisco icon in the lower right and un-checking "statefull firewall always on". Worth a try.
0
 
LVL 13

Author Comment

by:td_miles
ID: 20845553
I'll try it. Thanks.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 20847551
In regards to the routing.  You can add static routes in your local OS routing table telling it to route traffic bound for those remote institutions using the VPN out the new NIC.

I'm honestly not sure on this though if you say it breaks the NLB cluster during install.

Is it possible to open a case with Cisco on this?
0
 
LVL 13

Author Comment

by:td_miles
ID: 20917817
I'm fairly sure Cisco will say that it's not supported on a NLB cluster.
I'm also fairly sure MS will say that installing VPN client on NLB is not supported either.

This is why I'm asking here instead of following up normal/formal support methods.
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 1200 total points
ID: 20921286
Well, according to this other EE question, someone else called Cisco on an NLB issue and it was resolved by altering the MTU size to account for the packet overhead.

One way you can tell if the MTU size is too large by default would be to:

ping address -l 1500 -f

If you get "packet needs to be fragmented" then change 1500 to 1480, then 1460, etc. in increments of 20 until it no longer gets fragmented.  That would give you a good indication of proper MTU size.

Also found an online article that said:

The other NLB mode is multicast mode. Microsoft would prefer to set the default mode to multicast, but there are problems because certain Cisco devices dont allow multicast MAC addresses to be associated with a unicast IP address and the Cisco device will not insert a multicast MAC address its ARP table if its associated with a unicast IP address.

and here:  http://technet2.microsoft.com/windowsserver/en/library/597848c1-3ab4-4ade-80f2-b54bb33be5c11033.mspx?mfr=true

"Some routers require a static ARP entry because they do not support the resolution of unicast IP addresses to multicast media access control addresses. For example, Cisco routers require an ARP (address resolution protocol) entry for every virtual IP address. While Network Load Balancing uses Level 2 Multicast for the delivery of packets, Cisco's interpretation of the RFCs is that Multicast is for IP Multicast. So, when the router doesn't see a Multicast IP address, it does not automatically create an ARP entry, and one has to manually have to add it on the router."

So, according to that you can probably call Cisco, but it seems like your options could be to create a static ARP entry for the multicast address (which would mean it will probably need one for the default cluster and one for the address it gets over the VPN client tunnel), or switch to unicast mode.




0
 
LVL 13

Author Comment

by:td_miles
ID: 21123185
Time to put this one in the "too hard basket" and move on with life. Thanks to you both for your help, if you have no objections I'll divide the points up between the two of you.
0
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 800 total points
ID: 21124530
:-)  No objections.
Cheers !
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question