Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Users may experience periodic connection loss for applications that are running in a Windows Server 2008 NLB cluster using an IPsec connection


View products that this article applies to.

Symptoms

Consider the following scenario:
  • You configure a Windows Server 2008-based Network Load Balancing (NLB) cluster to use the single affinity mode.
  • A server-side application is load balanced by the NLB cluster.
  • Internet Protocol security (IPsec) connections are made between the client-side application and the server-side application.
  • A client disconnects from the service and then reconnects to the same service from a different network or from a different physical location.
In this scenario, the connections may break between the client-side application and the server-side application. Additionally, when the administrator of the NLB cluster checks the NLB status, the administrator finds that the client-side application makes connections to multiple NLB nodes.

For example, if an Exchange server is load balanced by a NLB cluster in an IPsec environment, the client application such as Microsoft Office Outlook alternates between the "Trying to Connect to Exchange Server" status and the "Connected" status.

Note If you experience this problem in Windows Server 2008 R2, you can use the extended affinity mode of Network Load Balancing to maintain the client connections. For more information about the extended affinity mode, visit the following Microsoft Web site:

↑ Back to the top


Cause

The current IPsec load balancing happens on the IP level. Therefore, the NLB driver is not aware of the TCP sessions included in the IPsec tunnel, and the new TCP connections may connect to different nodes. This behavior is incorrect for some applications that expect a client to make connections to a unique NLB node when the single affinity mode is configured.

↑ Back to the top


Resolution

To resolve the issue, install this hotfix on all NLB nodes.

This hotfix introduces a new NLB flag that gives a user only one active IPsec tunnel at any time from the given client. In this case, the NLB cluster tries to destroy the old tunnel in favor of the new tunnel. When the new tunnel opens, all TCP connections use this tunnel, and the client stickiness is guaranteed even on the TCP level.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have the Network Load Balancing (NLB) feature installed on a computer that is running Windows Server 2008 or Windows Server 2008 Service Pack 2 (SP2).

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfix.

Registry information

This hotfix adds the DropStateIfNotBucketOwner registry value to the registry. This registry value and other NLB cluster registry values are located under the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\WLBS\Parameters\Interface\
<GUID>

Replace the <GUID> placeholder with the network interface globally unique identifier (GUID) of the NLB cluster. The default value of the DropStateIfNotBucketOwner registry value is 1 (enabled). This hotfix is disabled if the registry value is absent or is set to 0.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Nlb.sys6.0.6001.22459202,75230-Jun-200910:26x86
For all supported x86-based versions of Windows Server 2008 SP2
File nameFile versionFile sizeDateTimePlatform
Nlb.sys6.0.6002.22160202,75230-Jun-200910:15x86
For all supported Itanium-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Nlb.sys6.0.6001.22459587,77630-Jun-200910:47IA-64
For all supported Itanium-based versions of Windows Server 2008 SP2
File nameFile versionFile sizeDateTimePlatform
Nlb.sys6.0.6002.22160587,77630-Jun-200910:28IA-64
For all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Nlb.sys6.0.6001.22459249,85630-Jun-200910:51x64
For all supported x64-based versions of Windows Server 2008 SP2
File nameFile versionFile sizeDateTimePlatform
Nlb.sys6.0.6002.22160249,85630-Jun-200910:27x64

↑ Back to the top


Workaround

To work around the issue, create an IPsec exception in the load-balanced applications that are experiencing this problem, or disable IPsec connections across the environment.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates


Additional file information for Windows Server 2008


Additional files for all supported x86-based versions of Windows Server 2008

File nameFile versionFile sizeDateTimePlatform
Package_for_kb972183_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42330-Jun-200923:33Not Applicable
Package_for_kb972183_sc_1~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,52730-Jun-200923:33Not Applicable
Package_for_kb972183_sc~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,70130-Jun-200923:33Not Applicable
Package_for_kb972183_server_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42330-Jun-200923:33Not Applicable
Package_for_kb972183_server_1~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,53130-Jun-200923:33Not Applicable
Package_for_kb972183_server~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,71230-Jun-200923:33Not Applicable
X86_microsoft-windows-n..ncing-networkdriver_31bf3856ad364e35_6.0.6001.22459_none_ae668d5531a7fea3.manifestNot Applicable4,34330-Jun-200915:25Not Applicable
X86_microsoft-windows-n..ncing-networkdriver_31bf3856ad364e35_6.0.6002.22160_none_b0392cb72ede8ba9.manifestNot Applicable4,34330-Jun-200913:47Not Applicable

Additional files for all supported Itanium-based versions of Windows Server 2008

File nameFile versionFile sizeDateTimePlatform
Ia64_microsoft-windows-n..ncing-networkdriver_31bf3856ad364e35_6.0.6001.22459_none_ae68314b31a6079f.manifestNot Applicable4,34930-Jun-200913:59Not Applicable
Ia64_microsoft-windows-n..ncing-networkdriver_31bf3856ad364e35_6.0.6002.22160_none_b03ad0ad2edc94a5.manifestNot Applicable4,34930-Jun-200913:19Not Applicable
Package_for_kb972183_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,42730-Jun-200923:33Not Applicable
Package_for_kb972183_server_1~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,37130-Jun-200923:33Not Applicable
Package_for_kb972183_server~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,71630-Jun-200923:33Not Applicable

Additional files for all supported x64-based versions of Windows Server 2008

File nameFile versionFile sizeDateTimePlatform
Amd64_microsoft-windows-n..ncing-networkdriver_31bf3856ad364e35_6.0.6001.22459_none_0a8528d8ea056fd9.manifestNot Applicable4,35530-Jun-200914:17Not Applicable
Amd64_microsoft-windows-n..ncing-networkdriver_31bf3856ad364e35_6.0.6002.22160_none_0c57c83ae73bfcdf.manifestNot Applicable4,35530-Jun-200913:46Not Applicable
Package_for_kb972183_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43130-Jun-200923:33Not Applicable
Package_for_kb972183_sc_1~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,53730-Jun-200923:33Not Applicable
Package_for_kb972183_sc~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,71130-Jun-200923:33Not Applicable
Package_for_kb972183_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43130-Jun-200923:33Not Applicable
Package_for_kb972183_server_1~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,54130-Jun-200923:33Not Applicable
Package_for_kb972183_server~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,72230-Jun-200923:33Not Applicable

↑ Back to the top


Keywords: kbclustering, kbHotfixServer, kbautohotfix, kbexpertiseadvanced, kbqfe, kbsurveynew, KB972183

↑ Back to the top

Article Info
Article ID : 972183
Revision : 3
Created on : 9/11/2010
Published on : 9/11/2010
Exists online : False
Views : 406