topic Re: Proxy ARP for Manual NAT – (local.arp file) rewritten after restart in Firewall and Security Management

Proxy ARP for Manual NAT – (local.arp file) rewritten after restart

P_M — Mon, 07 Dec 2020 09:07:37 GMT

Hello,

We are running R80.30 in a clustered environment, and have Proxy ARP for Manual NAT – (local.arp file) in place.

I have noticed recently noticed that the local.arp file is written over with other information after every restart of one of the Firewall. The other Firewall is not affected.

I know that a former colleague that has since moved onto another employer had been testing setting up Logical server, and had been experimenting with Proxy Arp for manual NAT (local.arp file).

Does anyone have a clue on where this setting is that rewrites the local.arp file on restart of the Firewall?

Thank you in advance.

Regards

P_M

Re: Proxy ARP for Manual NAT – (local.arp file) rewritten after restart

Axel_Engeland — Mon, 07 Dec 2020 09:55:14 GMT

$FWDIR/conf/local.arp is always rewritten on boot or configuration change by confd (except on VSX virtual systems >0). It should say so in the first three lines of the file ("# This file was AUTOMATICALLY GENERATED"...). Here are the things I would do:

Compare the content of local.arp with the clish configuration ("show arp proxy all")
Make sure the local.arp on both gateways do not have the immutable flag (lsattr $FWDIR/conf/local.arp should not show the "i" flag)
Check for custom boot configurations in /etc/rc.d/rc.local or /etc/rc.d/rc.local.user)

Re: Proxy ARP for Manual NAT – (local.arp file) rewritten after restart

P_M — Mon, 07 Dec 2020 10:17:55 GMT

Hello Axel,

Thank you for your response.

When I run ("show arp proxy all") then I see that is the content from the output, that is written over to local.arp during restarts.

How can I now fix this issue?

Regards

P_M

Re: Proxy ARP for Manual NAT – (local.arp file) rewritten after restart

P_M — Mon, 07 Dec 2020 10:19:22 GMT

Forgot to mention, that is only on one of the cluster members that local.arp is written over during restart.

Regards

P_M

Re: Proxy ARP for Manual NAT – (local.arp file) rewritten after restart

Axel_Engeland — Mon, 07 Dec 2020 10:29:08 GMT

Hello P_M,

I'd recommend setting up proxy arp according to sk30197 on both nodes so local.arp is rewritten at boot, but with correct content. If I have the option to configure something in clish instead of some config file I always prefer clish.

Alternatively, you can write your local.arp manually and protect it from being overwritten by using "chattr +i $FWDIR/conf/local.arp", but this is neither recommended nor supported, I guess.

Re: Proxy ARP for Manual NAT – (local.arp file) rewritten after restart

P_M — Wed, 09 Dec 2020 19:32:11 GMT

Hello Axel,

Thank you for your response and help!

I removed the Proxy Arp entry and this solved the problem with the local.arp being written over.

Cheers!

P-M