Endpoint Protection

 View Only
Back to Library

Windows 2008 Failover Cluster and NTP 

Sep 15, 2011 12:31 AM

Issue:

Installing NTP on the cluster blocks the communication between Windows Server 2008 Failover cluster nodes
Following the article TECH91154 doesn't resolve the issue.

Cause:

By default, the "Microsoft Failover Cluster Virtual Adapter" (NetFT.sys) uses IPv6 to communicate with other nodes in the cluster. If you have an IPv4 configuration, then IPv6 is tunneled over IPv4 to establish sessions with remote nodes. If IPv6 is completely unavailable in your environment, the nodes will then communicate by IPv4. It is possible to disable IPv6 and still have the cluster function correctly but it is recommended to enable IPv6 with Windows 2008, 2008 R2 Failover clustering.

Reference: For more information about IPv6 on cluster please refer to the below article from "Windows Failover Cluster Team":
http://blogs.technet.com/b/askcore/archive/2010/02/12/windows-server-2008-failover-clusters-networking-part-1.aspx

A default SEP firewall policy has a rule to Block "IPv6" communication and "IPv6 over IPv4" communication, which conflict with the cluster communication over "IPv6" or "IPv6 over IPv4". Currently Symantec Endpoint Protection Firewall doesn't support IPv6.

Reference: Symantec Endpoint Protection 11.0.6 compatibility with IPv6 and IPv6 over IPv4
http://www.symantec.com/docs/TECH91244
 
Solutions:

Solution 1:
Completely disable IPv6 support on the cluster nodes.

Solution 2:
1. Disable (Uncheck) the "IPv6" and "IPv6 over IPv4" rules in the firewall policy of the SEP clients installed in the cluster nodes.
2. Added a new blank rule and set it to "allow" upon following triggers.
 Host : Local (Add IP addresses of all cluster nodes) and Remote (Add IP addresses of all cluster nodes).
 Service : Local port: 3343,137,135 / Remote port: 3343,137,135.
 (Set all other triggers to "Any")
3. If a node is still not joining the cluster, remove it from the cluster and add it again.

Note: Do not delete the rule that blocks IPv6. Do not change its filter action from Block to Allow.


Also check the following articles:
About Windows and Symantec firewalls
http://www.symantec.com/docs/HOWTO26652

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7, and Windows Server 2008
http://support.microsoft.com/kb/929852

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.