ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Netscreen SSG-550M and Windows NLB Issue

‎12-17-2019 08:59 AM

Hello Everyone,

 

I'm troubleshooting an issue with windows NLB cluster and facing some challenges to make it work. When we add a new VM to the cluster, NLB VIP doesn't respond to hosts outside its vlan or IP subnet.

----------------------------------------------

NW Side:

- L3 device: Netscreen SSG-550M  [Gateway for Server Subnet along with the policies]

Static arp mapping to VIP along with the port.

Eg: set arp 192.168.x.y 03bfc0a8xxyz ethernet0/1

 

- L2 SWs:

static mac configuration to the respective ports.

----------------------------------------------

 

Windows Side: [OS 2012 R2/Exchange: 2013]

NLB on HyperV with 2 NICs 

1 with GW - for Management -

1 without GW - for NLB Communications

 

Tried to join a fresh VM to the cluster, when we pause the existing VM and bring up the new VM, NLB IP doesn't respond to the client requests.

 

Did a packet capture on the NLB NIC and found the following:

- NLB VIP is receiving the requests from the Users.

- NLB NIC IP is also receiving the requests from the Users.

- However NLB VIP is only responding the another server within the same subnet/vlan.

- No replies seen in packet capture response to the clients outside the same subnet/vlan.

 

From the troubleshooting and going through the various blogs; looks like I need to a static persistent route or enable forwarding. However we have a counter argument that its working fine with VM1 without a static route or any change of options.

 

Appreciate any inputs, if I'm missing some setting on SSG ?

 

Thanks.

Feedback