Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Cluster Failover on W2008 and higher - disable Port Stealth Mode

Daniel Nashed  21 November 2015 09:34:21
I should have blogged about this earlier. It was in my 2013 IBM Connected presentation but beside the TN and my presentation there is not much information.
If you are using Domino clustering on Win2008 or higher you should really disable the port Stealth mode!


This week I ran into a customer crash situation with repeated crashs which took a while to fix.

The failover on their Win2012 R2 servers was painful slow.


In Win2008 Microsoft introduced a feature called the Port Stealth mode.

This new "security feature" is enabled by default and is independent from the Windows Firewall.


If Domino does not listen any more for NRPC port 1352 Windows will discard all TCP IP packets for new and also existing connections.

That means the Notes client still thinks that the server is there and tries again to send TCP packages until the TCP timeout is reached.

The client is hanging for 30 up to 60 seconds until the failover occurs because Windows does not reject the packages from the client.


Once you disabled the Stealth mode via registry values, the client failover is again almost immediate.

You should also enable silent cluster failover in the desktop policy to avoid any prompts and the failover is almost seamless in most of the cases.

And in current Domino releases the client will also fail back to the home-mail-server later on.


To disable the port Stealth mode you have to set the registry values mentioned in the technote and we had to restart Windows to ensure the settings have effect.


Registry Settings:


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

"DisableStealthMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile]

"DisableStealthMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile]

"DisableStealthMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

"DisableStealthMode"=dword:00000001


The changes only take effect when your restart Windows!
We have multiple customers reporting it even for Windows 2012 R2.


References:


IBM Technote --> https://www.ibm.com/support/docview.wss?uid=swg21498755


The IBM TN is referencing the following Microsoft Technote --> http://msdn.microsoft.com/en-us/library/ff720058%28v=prot.10%29.aspx

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]