Microsoft KB Archive/229064

= Load Balancing may not work correctly with IP fragmentation in Windows Server 2003, in Windows 2000, and in Windows NT =

Article ID: 229064

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Load Balancing Service
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q229064



SYMPTOMS
A service being load balanced by the Windows NT Load Balancing service (WLBS) or the Windows 2000 Network Load Balancing (NLB) feature may not work at all or present unpredictable behavior. The client program may report connection errors.



CAUSE
Due to the design of the TCP/IP stack and the way WLBS/NLB processes packets, re-assembly of IP fragments cannot be guaranteed to occur in all cases when WLBS/NLB is used.



RESOLUTION
Path MTU Discovery is an algorithm implemented in TCP/IP which should normally prevent IP fragmentation of TCP frames from ever occurring on the network, and is enabled by default in all Microsoft Windows operating systems. This algorithm was implemented because the process of fragmenting and re-assembling IP frames is time consuming and inefficient.

However, fragmentation may still occur on the network under certain circumstances. The way that Path MTU Discovery works is that a host will set a bit flag in the IP header of all TCP frames it transmits which informs routers that fragmentation is not allowed. This is known as the “Don’t Fragment” or DF bit. When a router receives a frame that is too large to be transmitted onto the next network, it will check to see if the DF bit is set. If it is not, then the frame is fragmented and forward on to the destination. If the DF bit is set, then the router should discard the frame and return an ICMP message to the sender indicating that fragmentation was required but the DF bit was set. This message will also inform the sender of the Maximum Transmission Unit (MTU) for the network in question. The sender will then limit all subsequent frames for this TCP session to the specified MTU size,thereby eliminating the need for fragmentation.

This process will fail if a router between the source and destination needs to fragment the frame and either fails to return the ICMP message to the sender, or the message gets blocked due to packet filtering. This is known as a “black hole router”. In this case, the frame will be discarded silently and the sender will retransmit the frame several times until the TCP session terminates. Another possibility is that a router may be configured to ignore the DF bit and will fragment the frame anyway. Lastly, other older operating systems or network devices may not support Path MTU Discovery, and will not set the DF bit, which willresult in fragmentation on the network. Differences in MTU values typically occur when data must cross different types of network media (VPN connections, Token Ring, Ethernet, etc.). To resolve this issue, identify the router which is preventing Path MTU Discovery from working properly and correct its configuration. For additional information about how to locate such a router and to see some alternative, but less desirable solutions, click the following article number to view the article in the Microsoft Knowledge Base:

314825 How to troubleshoot black hole router issues



MORE INFORMATION
WLBS/NLB extracts the client IP address from the IP header and extracts the client port from the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) header. If the port rule specifies "no client affinity," both pieces of information are used to determine which host will process the packet. When the packet is fragmented, only the first fragment contains the TCP or UDP header. Therefore, WLBS/NLB cannot determine which host should handle a subsequent fragment. In Windows 2000 Server and earlier versions, fragmentation of the TCP or UDP header is generally not an issue because WLBS/NLB forwards all fragments to the TCP/IP stack. TCP/IP discards the fragments that it does not need. In Windows Server 2003, fragments are load balanced and they are never unconditionally forwarded to the TCP/IP stack. Generally, TCP fragmentation cannot be handled correctly and is not supported with NLB. To correctly handle fragmented UDP traffic in Windows Server 2003, create a single port rule with the following properties: port range [0:65535], protocol Both, Affinity Single or Class C.

