TechNote (Archived)

External users can not access Connect Profesional when clustered with NLB

Issue

With an NLB cluster setup, you have tested it internally and it works but external users are not able to connect to Connect Professional. Or, in some cases, you may have the same issue with internal users.

Reason

The network is not able to translate two or more IPs mapped to one FQDN or else the public to private NAT translation is failing.

The network team will need to add an Address Resolution Protocol (ARP) entry to your router for the IP address that corresponds to the virtual MAC address of a network card NLB is controlling.

When you setup NLB, you share one IP address across all servers in the NLB cluster and they also share the same virtual MAC address. When a request comes in, NLB manages which server receives the request, which is based on the physical IP address of a server within the cluster.

In our example, we have the following:
NLB shared IP = 10.60.204.74
NLB virtual MAC Address = 03-bf-0a-3c-cc-4a
External IP = 200.70.20.100
External FQDN = ps-brzclstr.macromedia.com

The NLB Properties for this example are as follows:

To view your NLB Properties page, do the following:

Open Local Area Connection Properties.
Right-click on Network Load Balancing.
Select Properties.

Solution

You need to setup a Proxy ARP to direct the request to the virtual MAC address created by NLB.

Get the NLB shared IP adress. In our example, it would be 10.60.204.42.
Get the NLB MAC address. In our example, it would be 03bf.0a3c.cc4a.
Enable a Proxy Address Resolution Protocol (ARP). For example:

cisco-router(config)#arp 10.60.204.74 03bf.0a3c.cc4a ARPA

Note: This will apply to any router, but in this example, we are using a Cisco router.

The translation should flow as follows:
ps-brzclstr.macromedia.com -> 200.70.20.100 -> 10.60.204.74 -> 03bf.0a3c.cc4a