VMware Cloud Community
JAllred
Contributor
Contributor
‎09-08-2009 06:14 AM

ISA 2006 SP1 - NLB Cluster - Multicast - VLAN

We recently installed some new manged switches and attempted to implement VLANs for multiple subnets and ran in to some stange issues with virtualized ISA 2006 SP1 NLB cluster. Per VMware, we are running the NLB in multicast mode. What we would see is that VMs that pointed at the ISA virtual IP could not ping it or connect through it but could ping and connect through the actual IP of the ISA server. Our secondary ISA server could not ping an IP on the Internet or browse at all. We shut down the secondary ISA server and removed the VLANs and things seemed fine again. Now, even without the VLANs the secondary ISA server has issues as if NLB is just broken. A couple of questions...

1) What is the recommended setup for an ISA 2006 NLB Cluster with VMware and VLANs?

2) Is there anything that needs to be restarted in VMware when a VLAN ID is added to a port group to make it work? The reason for this question is that I attempted to VLAN off one of our subnets on Sunday and I could not get the VMs to communicate with the firewall. I triple checked the switch config to make sure that ports were configured right for the VLAN and no luck.

3) We have two NICs assigned to our Service Console vswitch. Currently they are both active. Should I make one of them inactive in a true active/standby configuration? The reason for this question is I noticed that when I rebooted one of our switches that 3 of our ESX hosts started failing VMs over. I double checked the cabling and all of those ESX servers had active connections on our other switch. Why would 3 of our 6 ESX servers do this when they are all cabled and configured the same way?

Thanks!!

Jay

Tags (4)
0 Kudos
3 Replies
kjb007
Immortal
Immortal
‎09-08-2009 08:40 AM

Have you seen http://www.vmware.com/files/pdf/implmenting_ms_network_load_balancing.pdf?

More than likely, you need to add an ARP entry in your router. This may have worked correctly in the past, but modifying the switch config may have caused the entry to invalidate, and hence now you're partially working.

Modifying the VLAN ID does not require a reboot, but you have to make sure the VLAN you are setting is correct in the switch port config as well, and your port is configured as a trunk to use 802.1q. If you simply changed the port config to a different VLAN, then you don't need to use the VLAN id field.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
JAllred
Contributor
Contributor
‎09-08-2009 10:50 AM

I have seen that PDF. I have a ticket open with Microsoft and they pointed me to it as well.

The next hop up from the ISA server is actually a SonicWall that has one port configured in Transparent mode to hand off a range of public IPs to the ISA server. I am checking with SonicWall to see if I can add a static arp entry. If this is the case, why did it work fine before adding VLANs to VMware and the switch? And, why does it not work with the VLANs?

Thanks,

Jay

0 Kudos
kjb007
Immortal
Immortal
‎09-08-2009 11:43 AM

Depends if the router in this case could "see" the proper unicast IP tied to a multicast mac address previously.

-KjB

VMware vExpert

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos