I recently came across two similar scenarios involving NLB Cluster nodes where outgoing connections failed.
In the first one we had an NLB Cluster with 2 nodes, each node having one interface on which only the NLB (common) IP address was configured. The issue was that, even if the cluster was reachable from other machines - responds to PING, TCP connections etc, the nodes were unable to connect to any other machine. In his case, the nodes could not connect to a network share, but we later found out that they were actually unable to send out any IP packet. ICMP, DNS, SMB, nothing worked. All connection attempts terminated very fast with various errors.
When we tried to ping other machines, we received the error:
“PING: transmit failed. General failure”
This is in fact expected and it functions according to the design. The NLB IP Address is added to the network interface using the “SkipAsSource” flag, meaning it cannot be used as a source IP Address for outgoing connections.
More on “SkipAsSource” - http://support.microsoft.com/kb/2386184
You are also prompted that you will not be able to establish outgoing connections when you are configuring the cluster:
The solution in this case was to add a dedicated (unique) IP address on each of the nodes, to be used as a source IP address for the outgoing connections.
One can do this from the NLB Manager -> Select Host -> Host Properties -> Host Parameters -> Add Dedicated IP Address.
In the second scenario we had 2 interfaces on each node, from which one was configured with a dedicated (unique) IP, and the other, used for NLB, was configured with only the NLB (common) IP address.
In this case, we were unable to establish connections from the nodes to the Cluster IP Address. As before, the Cluster was reachable from other machines; this time we could also reach other machines because we had the dedicated IP Addresses on the other Interfaces, but we were unable to connect to the cluster IP Address.
We had the same error when pinging the Cluster IP Address:
What happened: when deciding how to send (in this example - ) the PING packet, TCPIP first chooses the interface on which it will send the Packet, according to the routing table. Obviously, to reach the NLB IP, we would go out through the NLB interface. But, on this interface we don’t have an IP address useable as a source IP for outgoing connections (Remember, the NLB IP has the “SkipAsSource” flag set.)
Therefore, we fail in sending out packets to the NLB IP Address, even if the address is a local one.
More on Source IP address selection: http://blogs.technet.com/b/networking/archive/2009/04/25/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx
The solution here was the same as in the first case: add a dedicated (unique) IP address on the NLB interfaces.