@Vladimir 

The cluster is running R80.30.

Topology:

Two gateways and Cox cable modem connected to small dumb switch.  The modem acts like a bridge in this setup and does not own the default gateway for the WAN.  Subnet is a /26 but there are only 6 useable IPs.  I have heard Cox reference a "CCAP" that owns the default gateway IP for the WAN.  Also Cox has said that their setup does not work well with gratuitous ARP, so we must use VMAC.

Hope that helps!

-Dave

Hi Dave,

Still sounds like the problem described in SK with the value-added "small dumb switch".

How dumb is that witch exactly? if the VMAC was configured recently and the ARP cache and MAC table on the COX side was not flashed, this may persist. I have seen relevant behavior (not the VMAC, but swap of one of the Cisco ASAs cluster members with Check Point), where this was required from the carrier to restore sanity to the network.

@Vladimir 

That switch is a 5-port Netgear.  "Dumb" as in it is not managed and is pretty simple and has no "configuration" that could be effecting anything.  The Cox side does have the VMAC in its ARP table (eventually, the ARP table on that device takes hours to refresh, which is why G-ARP does nothing).  

They have a problem with the way traffic from VIP is sourced with VIP and physical MAC of active member.  Sounds like their device drops traffic because it is expecting the VMAC as the source MAC.  I am working with the Cox engineer too, and hopefully he can adjust something on his end to get this working.  I was just throwing the behavior out here on the forum to see if there was any way to get the cluster to use the VMAC as the source MAC.  

-Dave

@Wolfgang 

Thanks. I have read that SK about 5 times lol.  I realize that this is the "normal" behavior, but my question is asking if there is a way to configure this to behave differently.  Just as no VMAC is "normal" but you can still enable it.  

I do not have any information on the ISP side other than what I posted in my reply to @Vladimir .

-Dave

Dave,

normally I prefer vmac. With this there is no change of the receiving MAC if the active clusternode change to the other.

If you want both MACs identical you can‘t use vmac. I think there is no way to change this behaviour.

Trigger @PhoneBoy , maybe something internal ?

Wolfgang

Given the constraints, can you spin-up another non-routed L3 VLAN on the switch connected to the internal interfaces of the CP cluster and use that instead of the netgear? With IP assigned to that VLAN, the vMAC should work.

We did have an Internet VLAN setup on the LAN switch originally.  Same results.  We moved to the "dumb" switch to simplify things and see if it made a difference.  

Looks like you'll have to route buffer the CP cluster using RFC1918 on its external interfaces, unless someone can suggest anything better.

P.S. When you've had the VLAN previously configured on the internal switch, did it have a VLAN interface with IP address?

@PhoneBoy 

thanks Dameon. I thought too VRRP maybe is the solution but I think the behaviour is the same. With VRRP you can too specify special MAC for the VRRP IPs. But the sending traffic should be send with the physical MAC of the node.

Maybe someone here has running a VRRP-cluster.

One solution from the old times would be an IPSO-cluster in forwarding mode, but that‘s not supported today 😉

Wolfgang