- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Problem with proxy ARP service.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with proxy ARP service.
Dear all,
I have a question.
Firewall deployment mode is HA (active/standby). (version is R80.40)
When fail-over occurs, there are problems with some services.
When I checked, it was confirmed that there is a problem only in the services registered in Proxy ARP.
Registered with reference to sk30197.
I'm looking for experience in solving cases similar to mine.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the issue resolve after installing policy, what JHF is installed?
Where possible routing addresses/subnets towards the cluster is a common alternative to the use of proxy-ARP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jumbo hotfix version is 118.
Is it correct that the proxy arp information registered in fw1 is updated with the proxy arp information registered in fw2 if it fails over?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Recommend upgrading from Take 118 to a newer/recent one as there are known issues around that take level and is over a year old.
Yes per Tim's earlier reply GARP (gratuitous ARPs) messages are sent to update the routers so long as they don't block/filter those.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible your adjacent routers don't like the gratuitous ARPs issued by the new active member upon failover. In that case you either need to turn that protection off (ARP state tracking) on them, or set for VMAC mode on the cluster object. However if you do that, make sure all switchports the cluster members are plugged into are configured for portfast to set STP Listen/Learn timer to zero.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your update.
Peer switches are all configured with portfast.
If there is a failover from fw1 to fw2, there is no problem with the end-user Internet service, but only the IPs registered with Proxyarp have a problem with the service.
For example, Proxyarp also has a DNS server registered. There is a problem when querying with an internal DNS server from outside.
If the fw1 equipment is restored again, the problem will be solved.
Is there any expected problem or cause?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> Is there any expected problem or cause?
Please read my prior reply again. I already answered your question.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer. Thank you