Beruflich Dokumente
Kultur Dokumente
This topic provides guidance for diagnosing and resolving issues that you may
encounter when you use Network Load Balancing (NLB) to load balance traffic among
Forefront TMG array members.
NLB assumes that NLB interfaces are connected to a Layer 2 device by default. This
configuration uses the MaskSourceMAC feature to ensure that the switch is unable to
learn the original source MAC addresses of the NLB hosts.
To identify NLB-enabled hosts when using switch or network tracing software look
for MAC addresses that start with 02. The masked MAC address is similar to the
original MAC address, but with the first two fields replaced as follows: 02-[Host
ID including zero]-[Original MAC address values]. That is, an NLB host with a host
ID of 3 and a MAC address of 00-19-BB-3C-29-08 has a substituted source MAC address
of 02-03-BB-3C-29-08.
In Multicast cluster operation mode, when the source MAC address is masked, the ARP
response from an NLB host includes a substitute source MAC address in the Ethernet
frame, but contains the correct NLB cluster MAC address in the ARP header. Some
Layer 3 switches and routers are confused by this response and cannot perform the
ARP mapping automatically. In this case, create a static ARP entry on the affected
switch/router which maps the NLB virtual IP address to the NLB cluster MAC address.
In unicast mode (the default Forefront TMG cluster operation mode) NLB induces
switch flooding, by design, relaying packets sent to the VIP addresses to all
cluster hosts. Switch flooding is part of the NLB strategy for obtaining the best
throughput for any specific load of client requests. However, if the NLB interfaces
share the switch with other (non-cluster) computers, switch flooding can add to the
other computers' network overhead by including them in the flooding and
consequently have a detrimental effect on network and/or server performance.
To solve this problem, isolate the NLB hosts so that the inherent switch flooding
mechanism only affects cluster nodes, as opposed to other non-cluster computers on
the same network (broadcast domain). This can be achieved by placing the NLB
interfaces in their own LAN or virtual LAN, thereby creating an isolated network
for NLB-related communications. Another option to avoid flooding non-cluster
computers is to place a network hub between the switch and the NLB interfaces, and
then disable the MaskSourceMAC feature.
Although multicast mode is often used to remove unicast mode limitations such as
switch flooding, this operational mode can also cause switch flooding. As with
unicast mode, this can be solved by placing the NLB interfaces into their own LAN
or virtual LAN, thereby creating an isolated network across which to pass multicast
traffic. If this is not possible, map the switch ports to which NLB-enabled
interfaces are attached to the NLB cluster MAC address via static entries in the
Content-Addressable Memory (CAM) table of the switch. This ensures that the switch
is aware of which switch ports are NLB-enabled and eliminates the need to flood all
ports.
If you have the network hardware to support it, use the Multicast with IGMP cluster
operation mode and configure appropriate network devices to support IGMP snooping.
This restrains multicast traffic in a switched network without the use of dedicated
VLANs. By default, a LAN switch floods multicast traffic within the broadcast
domain, consuming bandwidth if several multicast servers send streams to the same
segment. With IGMP snooping, the switch intercepts IGMP messages from the host and
updates its MAC table accordingly, eliminating the need to manually update the CAM
entries.
Flowchart for troubleshooting NLB
This flowchart guides you through the steps that are required for troubleshooting
NLB.
Flowchart for troubleshooting VoIP
Procedures for troubleshooting NLB
The following procedures describe the steps you might need to take when you use the
flowchart to troubleshoot NLB.
How to check if the array members are in synch with the CSS
How to check if the route from the array member to the CSS goes through a NIC
with MAC address starting with 02-bf
How to check if the array members are in synch with the CSS
For more information see Creating a standalone array.
To check if the array members are in synch with the CSS
In the Forefront TMG Management console, in the tree, click the Monitoring
node.
In the Forefront TMG Management console, in the tree, click the Networking
node.
Select the networks which will be load balanced. NLB cannot be configured for
enterprise-level networks and for the following default array-level networks: Local
Host, Quarantined VPN Clients, and VPN Clients.
Define the Primary VIP, Subnet mask and Cluster operation mode (Unicast,
Multicast or IGMP Unicast).
ImportantImportant:
The virtual IP address must belong to the network.
In the Forefront TMG Management console, in the tree, click the Monitoring
node.
In the Alerts tab, check that NLB Started for each array member.
In the Network Load Balancing Manager (nlbmgr), check the status of the current
node for all clusters define. Repeat this for each member.
Run nlb display to view the current state of the NLB cluster and hosts. Repeat
this for each member.
In the Forefront TMG Management console, in the tree, click the Networking
node.
Click Next.
Select the required network, and then click Configure NLB Setting.
In the Forefront TMG Management console, in the tree, click the Troubleshooting
node.
Run the Web access and Non-Web access simulation scenarios. If required update
the policy rules.
In the Forefront TMG Management console, in the tree, click the Monitoring
node.