Users may experience periodic connection loss for applications that are running in a Windows Server 2008 NLB cluster using an IPsec connection

Consider the following scenario:

• You configure a Windows Server 2008-based Network Load Balancing (NLB) cluster to use the single affinity mode.
• A server-side application is load balanced by the NLB cluster.
• Internet Protocol security (IPsec) connections are made between the client-side application and the server-side application.
• A client disconnects from the service and then reconnects to the same service from a different network or from a different physical location.

In this scenario, the connections may break between the client-side application and the server-side application. Additionally, when the administrator of the NLB cluster checks the NLB status, the administrator finds that the client-side application makes connections to multiple NLB nodes.

For example, if an Exchange server is load balanced by a NLB cluster in an IPsec environment, the client application such as Microsoft Office Outlook alternates between the "Trying to Connect to Exchange Server" status and the "Connected" status.

Note If you experience this problem in Windows Server 2008 R2, you can use the extended affinity mode of Network Load Balancing to maintain the client connections. For more information about the extended affinity mode, visit the following Microsoft Web site:

The current IPsec load balancing happens on the IP level. Therefore, the NLB driver is not aware of the TCP sessions included in the IPsec tunnel, and the new TCP connections may connect to different nodes. This behavior is incorrect for some applications that expect a client to make connections to a unique NLB node when the single affinity mode is configured.

To resolve the issue, install this hotfix on all NLB nodes.

This hotfix introduces a new NLB flag that gives a user only one active IPsec tunnel at any time from the given client. In this case, the NLB cluster tries to destroy the old tunnel in favor of the new tunnel. When the new tunnel opens, all TCP connections use this tunnel, and the client stickiness is guaranteed even on the TCP level.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have the Network Load Balancing (NLB) feature installed on a computer that is running Windows Server 2008 or Windows Server 2008 Service Pack 2 (SP2).

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfix.

Registry information

This hotfix adds the DropStateIfNotBucketOwner registry value to the registry. This registry value and other NLB cluster registry values are located under the following registry key:

<GUID>

Replace the <GUID> placeholder with the network interface globally unique identifier (GUID) of the NLB cluster. The default value of the DropStateIfNotBucketOwner registry value is 1 (enabled). This hotfix is disabled if the registry value is absent or is set to 0.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x86-based versions of Windows Server 2008

For all supported x86-based versions of Windows Server 2008 SP2

For all supported Itanium-based versions of Windows Server 2008

For all supported Itanium-based versions of Windows Server 2008 SP2

For all supported x64-based versions of Windows Server 2008

For all supported x64-based versions of Windows Server 2008 SP2

To work around the issue, create an IPsec exception in the load-balanced applications that are experiencing this problem, or disable IPsec connections across the environment.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008

Additional files for all supported Itanium-based versions of Windows Server 2008

Additional files for all supported x64-based versions of Windows Server 2008