Tech Line

Multiple Gateway Malfunction

Configuring more than one default gateway on a multi-homed server can lead to trouble.

• By Chris Wolf
• 11/15/2005

-- Matt

After talking with Matt for a few minutes, we were able to get to the cause of his problem. When Matt installed and configured the second NIC, he also configured the default gateway parameter in the NIC’s TCP/IP properties. This configuration resulted in his DNS server having two default gateways and, as a result, queries that his DNS server was attempting to forward were timing out after being routed back through an internal disjointed network segment.

To understand this behavior, let’s look at how Windows Server 2003 calculates the default metric for any configured default gateway addresses. When multiple default routes exist, Windows first uses the speed of each NIC to determine the best route. For example, a 100Mbps NIC would have a default metric of 20, while a 10Mbps NIC has a default metric of 30. This means that by default, the server would attempt to reach any unknown networks through the gateway address assigned to the 100Mbps NIC.

Note that you can manually override the default metric assignment to an interface by performing these steps:

1. Click Start - Control Panel - Network Connections, and then click on the network interface that you wish to configure.
2. In the connection’s Status dialog box, click Properties.
3. Under the General tab of the connection Properties dialog box, double-click "Internet Protocol (TCP/IP)."
4. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
5. In the Default Gateways portion of the Advanced TCP/IP Properties window, select the gateway address to configure and click the Edit button. You can also add a new gateway address by clicking the Add button.
6. Now in the TCP/IP Gateway Address dialog box, clear the Automatic Metric checkbox.
7. Enter a new metric value in the Metric field and then click OK.
8. Click OK to close the Advanced TCP/IP Settings dialog box.
9. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
10. Click OK to close the Connection Properties dialog box.
11. Click Close to close the Connection Status dialog box.

You may be wondering what happens if you have two identical NICs in the server. In this scenario, assuming that both NICs have a default gateway address configured, the NIC that is listed first in the network binding order would have the highest priority. You can check and change the network binding order on a Windows Server 2003 system by performing these steps:

1. Click Start - Control Panel, then right-click on Network Connections and select Open.
2. In the Network Connections window, click the Advanced menu and select Advanced Settings.
3. The binding order is displayed under the Adapters and Bindings tab in the Advanced Settings window. To change the binding order, select an interface in the Connections portion of the window and then click the up or down arrow to change the interface’s location in the binding order. The interface listed at the top is first in the binding order, while the interface shown at the bottom would be last.
4. Once finished setting the binding order, click OK to close the Advanced Settings dialog box.

With multiple default gateways, there is one other issue to be aware of, which is Dead Gateway Detection. This process can allow a Windows system to dynamically begin using the next configured default gateway when a failure is detected with the default gateway that has the lowest metric (or is listed first in the binding order when multiple gateways have the same metric value). For more information on Dead Gateway Detection, take a look at the TechNet article "Default Gateway Behavior for Windows TCP/IP."

Now that my typical rambling description is over, let me talk about how Matt’s problem was solved. Since he configured a gateway address on his second NIC and the NIC was connected to a disjointed network that was not routable to the Internet, DNS was trying to forward requests through the newly installed NIC. To solve his problem, he simply removed the default gateway address from the TCP/IP settings on the new NIC. Had he needed to route through any network subnets that could only connect to the DNS server via the second NIC, he could have added static routes using the route add –p command. For example, if his DNS server needed to route back to the 172.16.2.0/24 subnet using the gateway address 172.16.1.1, he would run the command route add –p 172.16.2.0 mask 255.255.255.0 172.16.1.1. This would provide for more efficient routing than waiting for the inevitable timeouts that would occur as the OS attempted to find the correct gateway address using Dead Gateway Detection.

Since Dead Gateway Detection is based on TCP timeouts (and not UDP or ICMP timeouts), it is also limited in its reliability. With this in mind, I would not try and include Dead Gateway Detection as part of your planned network infrastructure. Instead, a better practice is to configure a single default gateway address for the server and then add static routes for any disjointed networks that cannot be reached through the default gateway. For more information on configuring gateway addresses on multi-homed servers as well as detailed information on TCP/IP in Windows Server 2003, take a look at the Microsoft whitepaper "Microsoft Windows Server 2003 TCP/IP Implementation Details." Not only is this whitepaper an informative read, but it can also serve as a sleep aid for young children. If my two-year-old can’t sleep, I just read him a couple of pages about the Windows 2003 TCP/IP implementation details and he’s out like a light!