Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Load balancing: Problem with probe host (Can't ping probe host when custom IP entered)
  •  
Velimir Ikalovic

Messages: 7
Karma: 0
Send a private message to this user
I have problem with Load Balancing.

First, this is my setup:
Kerio Winroute 6.7.1 on MS Server 2003
WAN1 Lan connection to ADSL router 6Mbps
WAN2 PPPoE connection to WADSL (wireless Broadband) 1Mbps
multiple local LAN connections

I have set up Load Balancing, and also dedicated some services to specific WAN links. Everything is working fine, until ADSL service brakes (rare but possible).

Because default probe host is ADSL router, link is detected as active no matter if ADSL service is working or not.

I have tried to enter custom probe host, but then another problem arise. Dedicating links for services is not working. After some troubleshooting I finaly discovered what is the problem. In debug log, when I enter custom probe host, for both WAN links it says that probing is timed out. At the same time I can ping at CMD promt entered IP address over both links. I have then tried to create separate traffic rule for ping, but it didn't help. Maybe I didn't created it right:
Source: firewall Destination: Internet Service: ping Translating: none Time: Always

any ideas?

Velimir

[Updated on: Fri, 12 November 2010 18:36]

  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
why don't you use the IP's of the DNS server from the providers. There multiple and then it will work.
Use this configuration at our Control and at the customers control with two or more line's

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Velimir Ikalovic

Messages: 7
Karma: 0
Send a private message to this user
Two reasons why I can't do suggested:
1. DNS from one provider is blocking ICMP
2. Entering anything for probe host is rendering both connections inactive, at the same time when I ping that IP manualy I have reply.

I'll repeat if I wasn't clear.
a) when probe host is primary gateway for each connection it is all fine until ADSL is down. At that moment Winroute is not aware that link is down because it is probing IP of the ADSL router (IP 192.168.1.1) which is pingable no matter if link is up or down

b) when I enter 8.8.8.8 as probe host, both connections go to "down" state because, for some reason, Winroute can't probe it (I get "probe time out" in debug log for both). At the same time I'm able to ping and trace 8.8.8.8 over both links manualy at CMD propt on the server.
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
then resolve the IP of the NTP server from Kerio and use that.
And pick one of the IP's from Google Wink always in the air.
Because I don't have this problem you describe.
Line is perfect switched.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Velimir Ikalovic

Messages: 7
Karma: 0
Send a private message to this user
when I use default setup I have this:

[12/Nov/2010 15:15:53] {connectivity} Availability detection on interface "adsl": no probe hosts defined, using gateway address: 192.168.1.1.
[12/Nov/2010 15:15:53] {connectivity} Availability detection on interface "adsl": sending probe to 192.168.1.1 via gateway 192.168.1.1.
[12/Nov/2010 15:15:53] {connectivity} Availability detection on interface "adsl": received probe reply from 192.168.1.1.
[12/Nov/2010 15:16:10] {connectivity} Availability detection on interface "Connection to BB-AC-02": no probe hosts defined, using RAS server's address: 217.23.207.249.
[12/Nov/2010 15:16:10] {connectivity} Availability detection on interface "Connection to BB-AC-02": sending probe to 217.23.207.249 directly via the interface.
[12/Nov/2010 15:16:10] {connectivity} Availability detection on interface "Connection to BB-AC-02": received probe reply from 217.23.207.249.

And it works until ADSL line breaks. At that moment, Winroute is not aware of that fact, because it is still probing 192.168.1.1 instead of gateway on the provider.

when I set custom probe host I have this:
[12/Nov/2010 14:51:35] {connectivity} Availability detection on interface "adsl": sending probe to 8.8.8.8 via gateway 192.168.1.1.
[12/Nov/2010 14:51:35] {connectivity} Availability detection on interface "Connection to BB-AC-02": sending probe to 8.8.8.8 directly via the interface.
[12/Nov/2010 14:51:40] {connectivity} Availability detection on interface "adsl": probe timeout.
[12/Nov/2010 14:51:40] {connectivity} Availability detection on interface "Connection to BB-AC-02": probe timeout.

And interfaces are seen as "dead"... at the same time while I have these lines in debug log, in CMD prompt I can ping 8.8.8.8 manualy

Where to look for the reason why Winroute can't probe 8.8.8.8?
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
Strange,
Is the rule Firewall Traffic still there?
And have you checked your router. Mabye this one is blocking ICMP. Allowing Ping but not ICMP. ICMP is more then Ping.
See link:
http://www.inetdaemon.com/tutorials/troubleshooting/tools/pi ng_is_not.shtml

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Velimir Ikalovic

Messages: 7
Karma: 0
Send a private message to this user
I can ping 8.8.8.8 (or any other unprotected IP) in CMD prompt on the server.
I can ping both WAN interfaces from computer at home.
I guess this means that ICMP works in both ways, from inside and outside.
Yes, rule is still there.
I have two routers which are from two different ISPs, two different types, and working completely different. But when I switch to "use specified IP as probe host" it don't work... probing timedout

EDIT:
[12/Nov/2010 21:47:27] PERMIT "ping za gateway" packet from adsl, proto:ICMP, len:46, ip:8.8.8.8 -> 192.168.1.2, type:0 code:0
[12/Nov/2010 21:47:27] PERMIT "ping za gateway" packet from Connection to BB-AC-02, proto:ICMP, len:46, ip:8.8.8.8 -> 188.246.84.44, type:0 code:0

This should mean that ICMP response is not filtered, but somehow Winroute is not "reading" it.

Any idea where to look next?

[Updated on: Fri, 12 November 2010 21:51]

  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
Strange, I presume that both NIC's are in group internet interfaces.
It must be something with the rules. firewall to internet interfaces maybe?

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Velimir Ikalovic

Messages: 7
Karma: 0
Send a private message to this user
Yes, NICs are in internet interfaces...
Rules are not the problem, it must be OS related. It took me almost a year to figure out that probing is not working, I hope it will take less time to figure out why it is not working.

Thank you for the all assistance. If only someone else reported similar problem I could work out where to look in the system.
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
Don't you have a spare computersystem that you can equip with more NIC's and then running Kerio Control Appliance. I'm sure that's working. But i gone test for you your Control version on a MS W2k3 system in our virtual enviroment. Some monday I come back on it with results.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
Previous Topic: Import users list ?
Next Topic: Appliance (2 Internet Connections Loadbalancing, only one working properly)
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 15:06:33 CEST 2017

Total time taken to generate the page: 0.00465 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.