Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The Firewall service may not start or integrated NLB fails when you enable 802.1Q VLAN tagging or teaming on a server that is running ISA Server


View products that this article applies to.

Symptoms

You are running Microsoft Internet Security and Acceleration (ISA) Server 2004, Enterprise Edition with Service Pack 2 (SP2) or Microsoft Internet Security and Acceleration (ISA) Server 2006, Enterprise Edition. You enable 802.1Q Virtual Local Area Network (VLAN) tagging or network teaming and integrated Network Load Balancing (NLB) on separate interfaces of the same network adapter. After you do this, the Firewall service may not start, or the Microsoft Firewall Event 21107 may indicate that the Firewall service did not apply the Network Load Balancing configuration on the local computer. The failure occurs because of an "Element not found" error.

Note This issue also applies to Microsoft Forefront Threat Management Gateway 2010.

↑ Back to the top


Resolution

By default, ISA Server does not enable 802.1Q VLAN tagging or network teaming and integrated NLB on different interfaces of a network adapter. To enable this functionality, you must run the following Microsoft Visual Basic Scripting Edition (VBScript) file on one of the array member servers. To do this, follow these steps:
  1. Copy the following text into Notepad:
    Sub AddAllowVLANandNLB()
    
    ' Create the root object.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")
    
    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object
    
    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets
    
    On Error Resume Next
    Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
    
    If Err.Number <> 0 Then
    Err.Clear
    
    ' Add the item
    Set VendorSet = VendorSets.Add( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name
    
    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value("AllowVLANandNLB")
    End If
    
    if VendorSet.Value("AllowVLANandNLB") <> true Then
    
    Err.Clear
    VendorSet.Value("AllowVLANandNLB") = true
    
    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError
    
    If Err.Number = 0 Then
    WScript.Echo "Done with AllowVLANandNLB, saved!"
    End If
    End If
    Else
    WScript.Echo "Done with AllowVLANandNLB, no change!"
    End If
    
    End Sub
    
    Sub CheckError()
    
    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If
    
    End Sub
    
    AddAllowVLANandNLB
    
  2. In Notepad, click File, click Save As, and then type a name for the script. For example, type VBScriptName.vbs in the File name box, and then click Save.
  3. Run the file that you saved in step 2.
  4. Restart the Firewall service after you run the VBScript file.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

How to remove the changes

To remove the functionality, you must run the following Microsoft Visual Basic Scripting Edition (VBScript) file on one of the array member servers. To do this, follow these steps:
  1. Copy the following text into Notepad:
    Sub DelAllowVLANandNLB()
    
    ' Create the root object.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")
    
    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object
    
    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets
    
    On Error Resume Next
    Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
    
    If Err.Number <> 0 Then
    Err.Clear
    
    ' Add the item
    Set VendorSet = VendorSets.Add( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name
    
    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value("AllowVLANandNLB")
    End If
    
    if VendorSet.Value("AllowVLANandNLB") = true Then
    
    Err.Clear
    VendorSet.Value("AllowVLANandNLB") = false
    
    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError
    
    If Err.Number = 0 Then
    WScript.Echo "Done with AllowVLANandNLB, saved!"
    End If
    End If
    Else
    WScript.Echo "Done with AllowVLANandNLB, no change!"
    End If
    
    End Sub
    
    Sub CheckError()
    
    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If
    
    End Sub
    
    DelAllowVLANandNLB
    
  2. In Notepad, click File, click Save As, and then type a name for the script. For example, type RemoveVBScriptName.vbs in the File name box, and then click Save.
  3. Run the file that you saved in step 2.
  4. Restart the Firewall service after you run the VBScript file.
Notes
  • For more information about the 802.1Q protocol that is defined by the Institute of Electrical and Electronics Engineers, Inc. (IEEE), visit the following IEEE Web site:
  • 802.1Q functionality depends on network adapter drivers. Contact the network adapter manufacturer to determine whether a network adapter supports this protocol.
  • You cannot enable 802.1Q VLAN tagging and integrated NLB on the same interface of a network adapter. This limitation is imposed by NLB.
  • You cannot enable both 802.1Q VLAN tagging and integrated NLB on different interfaces of a network adapter on ISA Server 2004, Enterprise Edition computers. To enable this functionality, you must install ISA Server 2004 SP2 and run the VBScript file that is described in the "Resolution" section.

↑ Back to the top


Keywords: KB912943, kbprb, kbtshoot

↑ Back to the top

Article Info
Article ID : 912943
Revision : 6
Created on : 10/9/2011
Published on : 10/9/2011
Exists online : False
Views : 499