Dophiのブログ

    Load balancing a HTTP service on Nortel Application Switch (aka Alteon) is a simple job as we know. Usually, I only use TCP health check to verify the status of a real server for a basic HTTP load balancing because it only performs a three-way handshake between Alteon and a real server. Just last week, I configured Alteon to load balance a basic HTTP service on IIS 7.0 servers but the status of real servers were always failed. In the beginning, I thought the HTTP service daemons on real servers were down and confirmed this situation with a system engineer. But, the HTTP service on every real servers was up and we could connect directly to the service. After performed some diagnostics, I got the result of this failure.

    The screen shot of packet capture below shows the behavior of three-way handshake of an IIS 7.0 server.

The blue block gives us the answer of TCP health check failure. A three-way handshake should usually be ended by a FIN.ACK packet. But, this situation has been changed because Microsoft IIS 7.0 has a new behavior while a client is establishing a three-way handshake with itself. As we can see from this screen shot, IIS 7.0 issues a RST.ACK packet after the FIN.ACK packet to end this three-way handshake. As the result, Alteon interprets as a failed TCP health check.

Solution A:

    Downgrade the Alteon OS to previous versions. The versions I have tested are 23.0.2 and 22.0.7. Both of them success the TCP health check on IIS 7.0.

Solution B: 

    Change the default service port of IIS 7.0. For example, change the default TCP port 80 to 8001 on IIS 7.0.  Meanwhile, keep the service port of the virtual server as TCP port 80 but change "rport" to 8001 in order to match the real service port on the IIS 7.0 server.

Solution C: 

    This issue will be fixed on version 23.2.9, 24.0.5, 25.0.1, and 26.0.0.

2009-02-18 Update:  The Software version 23.2.9 is released today. This issue has been fixed.