Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ykpark
Contributor

Problem with proxy ARP service.

Dear all,

I have a question.

Firewall deployment mode is HA (active/standby). (version is R80.40)
When fail-over occurs, there are problems with some services.

When I checked, it was confirmed that there is a problem only in the services registered in Proxy ARP.

Registered with reference to sk30197.

I'm looking for experience in solving cases similar to mine.

Thanks

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee

Does the issue resolve after installing policy, what JHF is installed?

Where possible routing addresses/subnets towards the cluster is a common alternative to the use of proxy-ARP.

 

CCSM R77/R80/ELITE
0 Kudos
(1)
ykpark
Contributor

Jumbo hotfix version is 118.

Is it correct that the proxy arp information registered in fw1 is updated with the proxy arp information registered in fw2 if it fails over?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Recommend upgrading from Take 118 to a newer/recent one as there are known issues around that take level and is over a year old.

 Yes per Tim's earlier reply GARP (gratuitous ARPs) messages are sent to update the routers so long as they don't block/filter those.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Champion
Champion

Possible your adjacent routers don't like the gratuitous ARPs issued by the new active member upon failover.  In that case you either need to turn that protection off (ARP state tracking) on them, or set for VMAC mode on the cluster object.  However if you do that, make sure all switchports the cluster members are plugged into are configured for portfast to set STP Listen/Learn timer to zero.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
ykpark
Contributor

Thank you for your update.

Peer switches are all configured with portfast.

If there is a failover from fw1 to fw2, there is no problem with the end-user Internet service, but only the IPs registered with Proxyarp have a problem with the service.

For example, Proxyarp also has a DNS server registered. There is a problem when querying with an internal DNS server from outside.

If the fw1 equipment is restored again, the problem will be solved.

Is there any expected problem or cause?

0 Kudos
Timothy_Hall
Champion
Champion

Is there any expected problem or cause?

Please read my prior reply again.  I already answered your question.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
ykpark
Contributor

Thank you for your answer. Thank you

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events