How does Sticky IP and Round Robin NAT Load Balancing (NLB) work

Source IPs: 10.71.254.254, 10.71.253.1 initiated two connections on destination TCP ports 3389 and their requests were load balanced onto destination hosts as shown in the "Packet Monitor" screenshot below:

Source IP 10.71.254.254 connected to 10.10.11.141.

Source IP 10.71.253.1     connected to 10.10.11.142. 

Source IP: 10.71.253.1 connect to 10.10.11.142 and Source IP: 10.71.254.254 connects to 10.10.11.141, see "Packet Monitor" below:

Testing of Round Robin NAT LB method

Select Rules| NAT Policies | edit the same NAT policy used in the above example and change the "NAT LB" method from Sticky IP to Round Robin under Advanced tab, as shown below:

NAT LB method changed to Round Robin:

Source IPs: 10.71.254.254, 10.71.253.1 initiated two connections on destination TCP ports 3389 and their requests were load balanced onto destination hosts as shown in the "Packet Monitor" screenshot below:

Source IP 10.71.253.1     connected to 10.10.11.141.

Source IP 10.71.254.254 connected to 10.10.11.142.

Closed current RDP sessions on both hosts and re launched Two RDP sessions to see if same how their request will be load balanced across two RDP hosts, see screenshot below:

Source IP 10.71.253.1     connected to 10.10.11.142.

Source IP 10.71.254.254 connected to 10.10.11.141.

Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required.

Determining the NAT LB Method to Use

Caveats

The following are not available at present:

• Only two health-check mechanisms (ICMP ping and TCP socket open).
• No higher-layer persistence mechanisms (Sticky IP only).
• No “sorry-server” mechanism if all servers in group are not responding.
• No “round robin with persistence” mechanism.
• No “weighted round robin” mechanism.
• No method for detecting if resource is strained.

While there is no limit to the number of internal resources that the SonicWall network security appliance can load-balance to, and there no limit to the number of hosts it can monitor, abnormally large load-balancing groups (25+resources) may impact performance.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

1. Log in to the SonicWall with your admin account.
2. Select Network | Address Objects
3. Click Add and then add two RDP hosts, and then add them to a Group as shown in the screenshot below:

1. Select Firewall | Access Rules | Click Add to allow access from Any Source (Specify source if required) from WAN zone to LAN, as shown below:

Above Access rule will allow access to the Public Virtual IP and then it will be sent to RDP hosts using the NAT LB method

1. Click OK to add the Access Rule.
2. Select Network | NAT Policies | Click Add and fill the create a in bound NAT as shown below:

Note: If outbound access is required from above RDP hosts then add outbound NAT policies and access rules per requirements, as the above NAT and Access Rule will only allow inbound access, and if any of the RDP host need to initiate outbound connection, not replying an incoming request, then separate NAT/Access Rule will be needed.

1. Select Advanced tab from Add NAT policy window and make sure the under "NAT Method" Sticky IP is selected, and under "High Availability" probing is enabled on the ports which are being used within the NAT policies, as show below: