We are using Barracuda firewalls in a cluster configurations. Whenever a failover of the cluster occurs, the ARP entry (incidentally also the default gateway for the switch) on the switch never expires, the switch retains the MAC address of the old unit while the rest of the network picks up on the new MAC of the failover unit. Any ideas why the switch would treat the gateway MAC differently, basically ignoring the ARP timeout (despite having set the ARP timeout to the minimum - 15 seconds)?

Hi fredericallaert Welcome to Community! Could you please run command 'show arp' and collect the output information? In my side, it's work fine when I change ARP Age Time to 60s. You can see after about 60s, the ARP entry(111.1.1.2) is removed success. Below is my device output info: (M4300-48XF) #show arp Age Time (seconds)............................. 60 Response Time (seconds)........................ 1 Retries........................................ 4 Cache Size..................................... 760 Dynamic Renew Mode ............................ Disable Total Entry Count Current / Peak .............. 2 / 2 Static Entry Count Configured / Active / Max .. 0 / 0 / 128 IP Address MAC Address Interface Type Age --------------- ----------------- -------------- -------- ----------- 111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a 111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 0m 17s (M4300-48XF) # (M4300-48XF) #show arp Age Time (seconds)............................. 60 Response Time (seconds)........................ 1 Retries........................................ 4 Cache Size..................................... 760 Dynamic Renew Mode ............................ Disable Total Entry Count Current / Peak .............. 2 / 2 Static Entry Count Configured / Active / Max .. 0 / 0 / 128 IP Address MAC Address Interface Type Age --------------- ----------------- -------------- -------- ----------- 111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a 111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 0m 57s (M4300-48XF) #show arp Age Time (seconds)............................. 60 Response Time (seconds)........................ 1 Retries........................................ 4 Cache Size..................................... 760 Dynamic Renew Mode ............................ Disable Total Entry Count Current / Peak .............. 1 / 2 Static Entry Count Configured / Active / Max .. 0 / 0 / 128 IP Address MAC Address Interface Type Age --------------- ----------------- -------------- -------- ----------- 111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a (M4300-48XF) # Hope it helps! Regards, Eric

Hi Eric, Please find the output below. Nothing peculiar to see in the output, but what you can see is that the "Type" field of the IP-address 152.1 comes back as "gateway" in your output it's not BTW) because it's the default gateway address for the switch.When the firewall cluster fails over to the secondary unit this MAC address will not expire and keeps trying to reach out to this IP-address on the wrong MAC. Other devices in the network pick up the new MAC address after the 15s expiration, the switch doesn't IP Address MAC Address Interface Type Age--------------- ----------------- -------------- -------- -----------192.168.152.1 00:10:F3:86:C4:7C vlan 1 Gateway 0h 0m 3s192.168.152.2 00:10:F3:86:C4:7C vlan 1 Dynamic 0h 0m 0s192.168.152.3 00:10:F3:8B:A4:5F vlan 1 Dynamic 0h 0m 0s

fredericallaert In your output, I see 152.1 and 152.2 use same MAC address, is it correct? What's the IP of the firewall? What's the IP of the Switch? Could you please run command 'show mac-addr-table' and collect the output info?

This is how the high-availability (active/passive) works on Barracuda firewalls. It responds with the MAC address of the active unit, so seeing the same MAC address twice is expected. In case of a failover the units send out a gratitious ARP to inform other components that the MAC will change.152.2 = Firewall box 1 152.3 = Firewall box 2152.1 = Virtual IP for the cluster (in my output sample box 1 was active) As mentioned the switches never expire this ARP entry after a failover for some reason.Everything else on the network does. I have to clear the dynamic ARP and then it's OK

fredericallaert Yes, just as you said: In case of a failover the units will send out a gratitious ARP to inform other components that the MAC will change. And swtich will change ARP table with the new MAC address. But in your network, looks like switch not refresh the ARP table with new MAC. So could you pelase capture packet on switch(port mirror the port that connected to Firewall) and to check if switch received the gratitious ARP from the firewall? Below is my test bed, you can see switch ARP table refresh to new MAC once receive the gratitious ARP. (M4300-48XF) #show arp Age Time (seconds)............................. 1200 Response Time (seconds)........................ 1 Retries........................................ 4 Cache Size..................................... 760 Dynamic Renew Mode ............................ Disable Total Entry Count Current / Peak .............. 2 / 2 Static Entry Count Configured / Active / Max .. 0 / 0 / 128 IP Address MAC Address Interface Type Age --------------- ----------------- -------------- -------- ----------- 111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a 111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 4m 20s (M4300-48XF) #show arp Age Time (seconds)............................. 1200 Response Time (seconds)........................ 1 Retries........................................ 4 Cache Size..................................... 760 Dynamic Renew Mode ............................ Disable Total Entry Count Current / Peak .............. 2 / 2 Static Entry Count Configured / Active / Max .. 0 / 0 / 128 IP Address MAC Address Interface Type Age --------------- ----------------- -------------- -------- ----------- 111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a 111.1.1.2 00:00:00:00:00:11 vlan 1 Dynamic 0h 0m 1s (M4300-48XF) #

ARP entry for gateway does not expire

7 Replies

Retired_Member
Jun 09, 2020
Hi fredericallaert

Welcome to Community!

Could you please run command 'show arp' and collect the output information?

In my side, it's work fine when I change ARP Age Time to 60s. You can see after about 60s, the ARP entry(111.1.1.2) is removed success.

Below is my device output info:

(M4300-48XF) #show arp

Age Time (seconds)............................. 60
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a
111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 0m 17s

(M4300-48XF) #

(M4300-48XF) #show arp

Age Time (seconds)............................. 60
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a
111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 0m 57s

(M4300-48XF) #show arp

Age Time (seconds)............................. 60
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 1 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a

(M4300-48XF) #

Hope it helps!

Regards,

Eric
- fredericallaert
  Aspirant
  Jun 09, 2020
  Hi Eric,
  
  Please find the output below. Nothing peculiar to see in the output, but what you can see is that the "Type" field of the IP-address 152.1 comes back as "gateway" in your output it's not BTW) because it's the default gateway address for the switch.
  When the firewall cluster fails over to the secondary unit this MAC address will not expire and keeps trying to reach out to this IP-address on the wrong MAC. Other devices in the network pick up the new MAC address after the 15s expiration, the switch doesn't
  
  IP Address MAC Address Interface Type Age
  --------------- ----------------- -------------- -------- -----------
  192.168.152.1 00:10:F3:86:C4:7C vlan 1 Gateway 0h 0m 3s
  192.168.152.2 00:10:F3:86:C4:7C vlan 1 Dynamic 0h 0m 0s
  192.168.152.3 00:10:F3:8B:A4:5F vlan 1 Dynamic 0h 0m 0s
  - Retired_Member
    Jun 10, 2020
    fredericallaert
    
    In your output, I see 152.1 and 152.2 use same MAC address, is it correct?
    
    What's the IP of the firewall?
    
    What's the IP of the Switch?
    
    Could you please run command 'show mac-addr-table' and collect the output info?

Forum Discussion

ARP entry for gateway does not expire

7 Replies

Related Content

New Gateway and Access Point

T-Mobile TMHI gateway + R6700 router

VLAN Routing + Gateway

XR500 Disconnects on lease expiration from xfinity gateway in bridge mode

R7800 DNS entry

NETGEAR Academy

ProSupport for Business