Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Traffic doesn't flow from Microsoft Load Balanced Servers

0

0

Article ID: KB5139 KB Last Updated: 24 Aug 2011Version: 4.0
Summary:
Traffic doesn't flow from Microsoft Load Balanced Servers
Symptoms:
Using Microsoft Load Balancer (MSLB) in Unicast Mode
Outbound policies permit the traffic
Sessions to the internal servers work
Sessions appear in logs
Traffic doesn't flow through from Microsoft Load Balanced Servers
Session from the servers do not work
The NetScreen is receiving traffic from the MSLB-enabled server using the secondary MAC address and using that as the MAC address for the session.'  MSLB is not listening for traffic to that MAC.'  For example:
10.1.1.101 is first server's IP
10.1.1.102 is second server's IP
10.1.1.103 is shared, 'Load Balanced' IP
All three IP's are gratuitously ARP'd for a virtual MAC which populate's the NetScreen's ARP cache, in our example, 02bf.4296.72a2.
But when traffic is initiated from 10.1.1.101, the MAC address used in the actual packet sent to the NetScreen was NetScreen'  This is what is normally put into the session table.'  Return traffic matching the session is sent to the MAC address cached in the session - 0201.4296.72a2.'  But the MSLB-enabled server is NOT listening for MAC 0201.4296.72a2 - it's listening for 02bf.4296.72a2 and ignores the packet sent to it.
The command:
set arp always-on-dest
Forces the NetScreen to ignore the MAC address in the recieved packet and instead perform an ARP-table lookup for the IP in the packet and use that MAC address in the session table.'  This forces the session table to have 02bf.4296.72a2 as the return MAC, which then gets picked up by the server.

Solution:

From the Command Line Interface (CLI):

set arp always-on-dest [Enter]

Here is the problem or goal:

  • Traffic doesn't flow through from Microsoft Load Balanced Servers
  • Session from the servers do not work
  • Traffic flow from Microsoft Load Balanced Servers

Problem Environment:

  • Using Microsoft Load Balancer (MSLB) in Unicast Mode
  • Outbound policies permit the traffic
  • Sessions to the internal servers work
  • Sessions appear in logs

Causes of this problem:

  • MSLB sources packets with a secondary MAC address that it does not listen for.

Additional Information:

The NetScreen is receiving traffic from the MSLB-enabled server using the secondary MAC address and using that as the MAC address for the session.  MSLB is not listening for traffic to that MAC.  For example:

10.1.1.101 is first server's IP

10.1.1.102 is second server's IP

10.1.1.103 is shared, 'Load Balanced' IP

All three IPs are gratuitously ARP'd for a virtual MAC which populates the NetScreen's ARP cache, in our example, 02bf.4296.72a2.

But when traffic is initiated from 10.1.1.101, the MAC address used in the actual packet sent to the NetScreen was NetScreen  This is what is normally put into the session table.  Return traffic matching the session is sent to the MAC address cached in the session - 0201.4296.72a2.  But the MSLB-enabled server is NOT listening for MAC 0201.4296.72a2 - it's listening for 02bf.4296.72a2 and ignores the packet sent to it.

The command:

set arp always-on-dest

Forces the NetScreen to ignore the MAC address in the received packet and instead perform an ARP-table lookup for the IP in the packet and use that MAC address in the session table.  This forces the session table to have 02bf.4296.72a2 as the return MAC, which then gets picked up by the server.

Applicable Products:

  • NetScreen-5
  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000

Applicable ScreenOS:

  • 2.6.0
  • 2.6.1
  • 2.7.1
  • 2.8.0
  • 3.0.0
  • 3.0.1


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search