Unable to ping NLB Gateway from outside the NLB subnet or different subnets
Unable to ping NLB Gateway from outside the NLB subnet or different subnets. Getting timeouts when attempting to do so?
# nc -vz 192.168.0.224
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connection timed out.
While host is on a subnet external to the NLB subnet?
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:86:15:d7 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.148/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.0.77/32 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.0.78/32 scope global eth0
valid_lft forever preferred_lft forever
This is because in IGMP Multicast and Multicast, the switch never learns the proper IP to MAC mapping:
mdscisco01#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
…
Internet 192.168.0.224 0 Incomplete ARPA
…
mdscisco01#
A great reference on this is here on the Cisco Network Load Balancing page. In essence:
- Since the virtual IP address uses a multicast MAC address, it is unreachable outside of the local subnet. In order to address this, you must configure a static ARP entry on each device with a Layer 3 (L3) interface in the cluster VLAN. Complete this in the same fashion as with Multicast mode. For example, if the virtual IP address is 10.100.1.99 and the multicast MAC address is 0100.5e01.0101, use this command in order to populate the ARP table statically:
arp 10.100.1.99 0100.5e01.0101
So in our case, this will be:
arp 192.168.0.224 0100.5e7f.00e0
At least according to the article. Here is the full list of commands:
mdscisco01#sh ip arp | include Incomplete
Internet 192.168.0.224 0 Incomplete ARPA
mdscisco01#
mdscisco01#config t
mdscisco01(config)#arp 192.168.0.224 0100.5e7f.00e0 arpa
mdscisco01(config)#end
mdscisco01#sh ip arp | include Incomplete
…..
mdscisco01#sh ip arp | include 192.168.0.224
Internet 192.168.0.224 – 0100.5e7f.00e0 ARPA
mdscisco01#
Now ping it from the host where ping didn’t work before:
# ping 192.168.0.224
PING 192.168.0.224 (192.168.0.224) 56(84) bytes of data.
64 bytes from 192.168.0.224: icmp_seq=1 ttl=126 time=0.784 ms
64 bytes from 192.168.0.224: icmp_seq=2 ttl=126 time=0.787 ms
^C
— 192.168.0.224 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.784/0.785/0.787/0.028 ms
Bingo! Next test a port:
# nc -vz 192.168.0.224 389
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.0.224:389.
Ncat: 0 bytes sent, 0 bytes received in 0.03 seconds.
Now let’s check with the affected application, Confluence if it can login instead of generating this message:
Sorry, an error occurred trying to log you in. Please try again.
Verify you can login now that the IP and PORT work and route traffic. Next, don’t forget to add the setting to any other cisco switches you may have. Same command, different switch. Don’t forget to save the configuration:
mdscisco01#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
mdscisco01#
mdscisco02#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
Compressed configuration from 6882 bytes to 2683 bytes[OK]
mdscisco02#
Enjoy!
HTH
