<div>
Is this a new implementation or has NLB failed?
</div>


<div>
Andrew<br />
<br />
New setup. How would I know if NLB failed?
</div>


<div>
Okay there are specific requirements for Windows Network Load Balancing to function otherwise it will not function<br />
<br />
Firstly did you use Multicast?
</div>


<div>
Need to make a few assumptions first....<br />
<br />
On the Meraki are you using NAT or port forwarding?<br />
<br />
Are you using split DNS? &nbsp;This would be required where you have an internal VIP but where you are using a NAT or port forwarding external to internal. &nbsp;The exception here would be where you are hosting a Load Balancing appliance/virtual in a DMZ - preferred - and traffic is traversing the external Firewall to the load-balancer where you have an external VIP and then a &quot;SNAT&quot; to internal that would - hopefully - traverse another firewall....hence DMZ.<br />
<br />
If you are not using the Load Balancing piece then NAT or Port Forwarding?<br />
<br />
Regardless, you would need external DNS entries that only resolve to your external NAT'd IP Address.<br />
<br />
Then, internal DNS entries that resolve to the NAT.<br />
<br />
For the external DNS to work would require a registered domain and you can have internal and external IP defined for the registered domain but using the &quot;Split DNS&quot; as I described above.<br />
<br />
Using a 1:1 NAT example, you would have the external, registered IP, facing NAT IP Address that resolves to the external FQDN IP &gt;&nbsp;external hits the NAT &gt;&nbsp;NAT address configured to hit the internal IP Address. &nbsp;<br />
<br />
A potential issue might come with the &quot;rewrite&quot; where your using a different FQDN versus directory structure on those two load-balanced servers /newpath/newsite. &nbsp;Can you verify the NAT or port forwarder hits the internal LB IP and how the rewrite is &quot;written&quot;?<br />
<br />
Let me know if you want to discuss further.
</div>


<div>
Andrew<br />
<br />
Yes I setup the NLB to be multicast.<br />
<br />
see image<br />
<br />
What &nbsp;else would you like to see?<br />
<a href="https://filedb.experts-exchange.com/incoming/2019/01_w03/1409916/nlbmulticast.PNG" target="_blank" class="file-inline" title="nlb multicast (17 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>nlbmulticast.PNG</a>
</div>


nlbmulticast.PNG

<div>
Brian<br />
<br />
My Meraki is using port forwarding.<br />
<br />
The web farm is behind the NLB Servers NLB Network Load Balancing <br />
<br />
<br />
You last question not sure <br />
<br />
Load balancing is all new to me
</div>


<div>
You will need to add Static ARP Entries for the multicast MAC address and IP Address in your switches otherwise NLB cannot converge<br />
<br />
Not all switches support Static ARP Entries and hence it fails
</div>


Senior Information Technology Consultant

Brian Murphy

<div>
I agree with Andrew in that first step is to verify resolution of your converged infrastructure to the primary IP address (NLB) to MAC using ARP. Assuming you used just one IP address for NLB and using multicast.<br />
<br />
One example might be where you can &quot;ping&quot; the NLB from the same subnet but when you come from a different routed subnet you cannot ping NLB. &nbsp;Being this is a virtual IP between multiple nodes one of the requirements of NLB is turning on &quot;proxy ARP support&quot; on the router in question and adding the static ARP entry.
</div>


<div>
Andrew was on the phone with Meraki support<br />
<br />
First we changed from multicast to unicast. &nbsp; It still did not work<br />
<br />
We then &nbsp;did a capture &nbsp;he saw that the http traffic was making it to the load balancer virtual ip address but no return traffic.<br />
<br />
Thoughts.
</div>


<div>
Brian<br />
<br />
I can ping the virtual ip <br />
<br />
Pinging 10.2.8.171 with 32 bytes of data:<br />
Reply from 10.2.8.171: bytes=32 time&lt;1ms TTL=128<br />
Reply from 10.2.8.171: bytes=32 time&lt;1ms TTL=128<br />
Reply from 10.2.8.171: bytes=32 time&lt;1ms TTL=128<br />
Reply from 10.2.8.171: bytes=32 time&lt;1ms TTL=128<br />
<br />
Ping statistics for 10.2.8.171:<br />
&nbsp; &nbsp; Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />
Approximate round trip times in milli-seconds:<br />
&nbsp; &nbsp; Minimum = 0ms, Maximum = 0ms, Average = 0ms
</div>


<div>
Was Wireshark used? &nbsp;I would need to see the traffic but don't upload it...can probably get through this without seeing the traffic.<br />
<br />
So, there is nothing else between the Miraki and the server(s) NLB except a Layer 2/3 switch?
</div>


<div>
No he did it on my meraki dash board<br />
<br />
My network is this<br />
<br />
one Meraki MX 60 <br />
Two Fios Internet pipes 100 up down on both<br />
<br />
one Meraki MS220 8 Port POE switch<br />
<br />
One Cisco &nbsp;WS C3750 48 TS switch &nbsp; &nbsp; &nbsp; &nbsp;10/100/1000<br />
<br />
All one subnet 10.2.8.x &nbsp;255 255.252.0 <br />
<br />
He is going to send my the trace <br />
<br />
Tom
</div>


<div>
Brian <br />
<br />
He used wires shark and he sent me the captures.<br />
<br />
How can we handle this?
</div>


Member_2_6492660_1

<div>
Hold on to the captures for now. &nbsp;Seems like a Layer 2 issue. &nbsp;Just seems odd that traffic would traverse the switch from Meraki and hit the NLB.<br />
<br />
Let's walk through this for a moment.<br />
<br />
What I would expect is that if you ping the NLB from the Meraki it is sent to both nodes (Unicast) and perhaps looks like it is going to the NLB.<br />
<br />
In Unicast mode, NLB replaces the actual Media Access Control (MAC) address of each server in the cluster with a common NLB MAC address. The MAC address is used in the Address Resolution Protocol (ARP) header, not the Ethernet header. The switch uses the MAC address in the Ethernet header, not the ARP header. <br />
<br />
Without the IGMP option, NLB uses a locally administered Multicast MAC address with a different prefix than that of IANA assigned.<br />
<br />
Multicast mode set in the GUI instructs the cluster members to respond to ARP for the Virtual IP and use address with the use of a multicast MAC address, such as 0300.XXXXX<br />
<br />
The ARP process does not complete for multicast MAC addresses (this breaks RFC 1812). A static MAC address is required in order to reach the cluster outside of the local subnet.<br />
&nbsp;<br />
Without those static entries for multicast you would expect to see a lot of broadcast? Unless using IGMP?<br />
<br />
The recommendation for avoiding/containing this flooding is the configuration of static MAC entries for the multicast Cluster MAC (binding it exclusively to the required ports) on your switch. Those static entries then also will be listed in the &quot;show mac address-table&quot; output.<br />
<br />
Otherwise, add static route...such as....<br />
arp 10.2.8.171 0300.XXXX.XXXX<br />
<br />
Now, since the inbound packets have a unicast destination IP address and a multicast destination MAC address you would need to insert a static mac-address-table entry in order to switch the cluster-bound packets for the physical port. &nbsp;If there is more than one port, need to verify this first for that particular switch but the command would look something like:<br />
<br />
mac address-table static 0300.5e01.0101 vlan XXX interface GigabitEthernet1/5<br />
<br />
And, on Meraki static arp resolution to the Multicast MAC address of NLB IP.<br />
<br />
With the IGMP option, you can make use of IGMP snooping in order to avoid the broadcast and the static MAC entries are not required in this case.<br />
<br />
The multicast cluster MAC can be learned dynamically by IGMP snooping. <br />
<br />
It should then be listed in the &quot;show mac address-table multicast&quot; output.<br />
<br />
Make sense?
</div>


<div>
Brian,<br />
<br />
I made the change to IGMP multicast &nbsp;no luck.<br />
<br />
Was on the Phone with Meraki and we tried to find the mac address on the meraki and my cisco switch not found<br />
<br />
From my desktop I can ping 10.2.8.171<br />
From the Meraki I can not ping the ip address <br />
<br />
cisco3750#show mac address-table multicast<br />
Vlan &nbsp; &nbsp;Mac Address &nbsp; &nbsp; &nbsp; Type &nbsp; &nbsp; &nbsp; &nbsp;Ports<br />
---- &nbsp; &nbsp;----------- &nbsp; &nbsp; &nbsp; ---- &nbsp; &nbsp; &nbsp; &nbsp;-----<br />
cisco3750#<br />
<br />
Not listed <br />
<br />
From the switch I can not ping the virtual switch either<br />
<br />
So if the meraki can not ping the virtual ip address in any mode then it will never work correct?<br />
<br />
Thanks <br />
<br />
Tom
</div>


<div>
Update<br />
<br />
I switch the NLB Cluster properties to Unicast again going to let it set for a few minutes or so see if I can ping from the meraki <br />
<br />
This is an ARP -a from the NLB server<br />
<br />
C:\Windows\system32&gt;arp -a<br />
<br />
Interface: 10.2.8.171 --- 0xc<br />
&nbsp; Internet Address &nbsp; &nbsp; &nbsp;Physical Address &nbsp; &nbsp; &nbsp;Type<br />
&nbsp; 10.2.8.1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00-18-0a-46-0d-c8 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.24 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-19-b9-f8-aa-c6 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.69 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-25-64-87-18-e3 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.70 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-25-64-60-50-83 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.10.10.255 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ff-ff-ff-ff-ff-ff &nbsp; &nbsp; static<br />
&nbsp; 224.0.0.22 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;01-00-5e-00-00-16 &nbsp; &nbsp; static<br />
&nbsp; 224.0.0.252 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 01-00-5e-00-00-fc &nbsp; &nbsp; static<br />
<br />
Interface: 10.2.8.169 --- 0xd<br />
&nbsp; Internet Address &nbsp; &nbsp; &nbsp;Physical Address &nbsp; &nbsp; &nbsp;Type<br />
&nbsp; 10.2.8.1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00-18-0a-46-0d-c8 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.4 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e0-5f-b9-25-a4-c0 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.16 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-50-56-b5-32-85 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.19 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-22-6b-ec-55-c6 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.22 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-0c-29-e9-e8-70 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.24 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-19-b9-f8-aa-c6 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.26 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-50-56-9e-5c-23 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.27 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-50-56-bd-3c-04 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.30 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-19-b9-f8-fc-e9 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.69 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-25-64-87-18-e3 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.70 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-25-64-60-50-83 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.71 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 50-46-5d-3c-dd-e9 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.85 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-50-56-9e-3e-65 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.86 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-50-56-9e-35-8f &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.87 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 00-50-56-9e-05-91 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.100 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00-50-56-9e-3e-65 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.123 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00-50-56-89-b8-a2 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.124 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00-50-56-89-b9-c4 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.151 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00-50-56-89-8d-0a &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.8.170 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00-50-56-89-b0-65 &nbsp; &nbsp; dynamic<br />
&nbsp; 10.2.11.255 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ff-ff-ff-ff-ff-ff &nbsp; &nbsp; static<br />
&nbsp; 224.0.0.22 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;01-00-5e-00-00-16 &nbsp; &nbsp; static<br />
&nbsp; 224.0.0.251 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 01-00-5e-00-00-fb &nbsp; &nbsp; static<br />
&nbsp; 224.0.0.252 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 01-00-5e-00-00-fc &nbsp; &nbsp; static<br />
<br />
<br />
you can see 10.2.8.1 (gateway address Meraki) &nbsp;on the 10.2.8.171 (VIP of NLB)<br />
<br />
Thoughts
</div>


<div>
Update <br />
<br />
So after a short time I was able to ping the virtual ip address of the NLB server from my meraki router.<br />
<br />
I switched the port forwarding from the physical web server to the vip of the nlb server and I still can not access my web sites.<br />
<br />
This is with unicast setup.
</div>


<div>
Guys<br />
<br />
Thanks for all the help on this<br />
<br />
I switched over to using my Kemp Load Balancer setup IIS and now my sites all work.<br />
<br />
Meraki does not support static ARP entries they cannot be configured on the Meraki Devices.<br />
<br />
Kemp was a better solution.<br />
<br />
I posted another Load Balancer Question today if either of you are available<br />
<br />
<br />
Thank you<br />
<br />
Tom
</div>


<div>
This is often the issue with a VMware vSphere NLB and Static ARP entries not being supported by network equipment.<br />
<br />
KEMP is a far better solution.<br />
<br />
Microsoft NLB was always very poor... (and complicated with the Static ARP requirement)
</div>


<div>
Agreed, I would only add that my preference on the Load Balancing is to host the LB in a true DMZ configuration and even prefer furthermore to have those isolated and forward to additional HA pair internal. &nbsp;In this scenario, port forward or NAT to DMZ hosted LB VIP with SNAT &nbsp;and hit another LB pair internal. &nbsp;I've used Kemp but don't recall if it has FW module option like Netscaler and F5. &nbsp;This yields great rewards when dealing with web traffic. &nbsp;Application load-balancing, SSL acceleration, not to mention all the metrics you get with something like HDX.<br />
<br />
As I had alluded to in initial comment:<br />
<br />
&quot;Are you using split DNS? &nbsp;This would be required where you have an internal VIP but where you are using a NAT or port forwarding external to internal. &nbsp;The exception here would be where you are hosting a Load Balancing appliance/virtual in a DMZ - preferred - and traffic is traversing the external Firewall to the load-balancer where you have an external VIP and then a &quot;SNAT&quot; to internal that would - hopefully - traverse another firewall....hence DMZ.&quot;
</div>


<div>
<div class="content wysiwyg-content">
2 Windows 2012 R2 Data Center NLB IIS DFS/R URL Rewrite<br />
2 Windows 2012 R2 Data Center Web Farm IIS DF/R<br />
VMware ESXI 6.5<br />
<br />
I can not access my web sites externally. &nbsp; Internally using the VIP of the NLB servers it works.<br />
<br />
When I modify my Meraki router to point to the VIP of the NLB no one can access my two sites.<br />
<br />
If I change the meraki router to point to the physical address of one of the Web Farm servers that works also.<br />
<br />
I need to be able to access my web farms thru the NLB servers<br />
<br />
Thank you<br />
<br />
Tom
</div>
</div>


2 Windows 2012 R2 Data Center NLB IIS DFS/R URL Rewrite
2 Windows 2012 R2 Data Center Web Farm IIS DF/R
VMware ESXI 6.5

I can not access my web sites externally.   Internally using the VIP of the NLB servers it works.

When I modify my Meraki router to point to the VIP of the NLB no one can access my two sites.

If I change the meraki router to point to the physical address of one of the Web Farm servers that works also.

I need to be able to access my web farms thru the NLB servers

Thank you

Tom

Web Farm not accessible Externally using NLB VIP

network load balance

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

Windows OS

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

VMware, a software company founded in 1998,  was one of the first commercially successful companies to offer x86 virtualization. The storage company EMC purchased VMware in 1994. Dell Technologies acquired EMC in 2016. VMware’s parent company is now Dell Technologies.

VMware has many software products that run on desktops, Microsoft Windows, Linux, and macOS, which allows the virtualizing of the x86 architecture.  Its enterprise software hypervisor for servers, VMware vSphere Hypervisor (ESXi), is a bare-metal hypervisor that runs directly on the server hardware and does not require an additional underlying operating system.