NAT to Microsoft NLB not working

Solved
Eds89
Here to help

NAT to Microsoft NLB not working

Hello,

 

I have a couple of Microsoft NLB clusters that I want to NAT publicly (remote desktop gateway for example), on my MX84 security appliance.

They are in Multicast mode, and have static ARP and MAC entries on my Cisco Catalyst 9200 switches internally. This is the only setup I could get working internally, as we are not quite in a position to setup a dedicated VLAN with Unicast mode instead (although I am not sure it would help in this situation anyway).

 

The issue I am having, is if I change my NAT rule from pointing to a single host, to the IP of the NLB cluster, there is seemingly no communication when sending traffic to the NAT'd public IP. The remote access to these NLBs just does not work when the rule is changed to this.

 

Meraki support have not been all that helpful in figuring out what is going on, and have simply said:

"Also they have confirmed that cluster IP should show up in the client list as well as the ARP table."

 

I have had this setup working before at a previous company, with the only difference being there we had Meraki switches instead of Catalyst.

Is there a way I can get this setup working, given that Meraki stubbornly refuse to give us the ability to add static ARP entries on their gear?

 

Many thanks.

James

1 Accepted Solution
Eds89
Here to help

I have managed to get this working now with Unicast NLB in a dedicated VLAN.

 

The issue seemed to be something to do with our gateway configuration between core switch and Meraki MX, which I have worked around for the moment and will investigate separately.

 

Many thanks for your input.

Regards

James

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

NLB is a pig, and it often causes issues.  It is almost certainly related to how it is [not] responding to ARP.  I bet if you change to a different mode it will work.

Eds89
Here to help

Thanks Philip,

 

Trying in Unicast mode with a dedicated VLAN is on my list to test, but is a bit more hassle for us currently than multicast mode.

I may try to expedite the test to see if it helps this situation, but otherwise will cross my fingers someone may have a workaround for using it with Meraki in Multicast mode.

 

Many thanks.

James

Eds89
Here to help

Anyone able to suggest any other options before I dive too deeply into segregating these into their own VLAN?

 

Cheers

James

Eds89
Here to help

I have my NLB cluster in unicast mode, with the adapters in their own VLAN. The MX appliance has an interface on that VLAN, and can ping the IP of the cluster, but the NAT mapping does not allow me to establish a connection externally.

 

Anyone have any thoughts on what else I can do here?

I have a new ticket open with support, but am not helpful they'lll be able to help me progress this.

 

Cheers

James

PhilipDAth
Kind of a big deal
Kind of a big deal

If you can now ping it, NAT should be working.

 

Can you access the service you are trying to expose internally on its private IP address?

Eds89
Here to help

Well, this is what I thought!

 

Can confirm that the service is accessible internally on that IP address from a separate VLAN.

As I'm testing, the new IP/NLB is on a secondary adapter on the VM, and has no gateway set on it. It can ping the Meraki appliance.

 

When natting to this IP, does it need to have a gateway in order to route back out to public internet clients, or only to the MX appliance?

If the former, then I guess my next test would be to disable the old adapters temporarily, and set a gateway on the new test adapters.

 

Cheers

James

PhilipDAth
Kind of a big deal
Kind of a big deal

It needs to have a default gateway pointing to the MX.

Eds89
Here to help

Sorry, I was mistaken, they do indeed have gateways set on them.

Is it possible that, because there are two interfaces both with gateways, it may be sending a response out via the wrong interface and the MX is dropping the packets because of a VLAN mismatch?

 

I have had a similar issue before that turned out to be a machine replying via the wrong interface.

 

I have adjusted the rule to point directly to the adapter IP rather than NLB, with no effect.

 

I have a case open with Meraki, so might be that they can interpret some packet captures and see what may or may not be happening here.

Eds89
Here to help

I have managed to get this working now with Unicast NLB in a dedicated VLAN.

 

The issue seemed to be something to do with our gateway configuration between core switch and Meraki MX, which I have worked around for the moment and will investigate separately.

 

Many thanks for your input.

Regards

James

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels