NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ARP entry for gateway does not expire
We are using Barracuda firewalls in a cluster configurations. Whenever a failover of the cluster occurs, the ARP entry (incidentally also the default gateway for the switch) on the switch never exp...
Hi Eric,
Please find the output below. Nothing peculiar to see in the output, but what you can see is that the "Type" field of the IP-address 152.1 comes back as "gateway" in your output it's not BTW) because it's the default gateway address for the switch.
When the firewall cluster fails over to the secondary unit this MAC address will not expire and keeps trying to reach out to this IP-address on the wrong MAC. Other devices in the network pick up the new MAC address after the 15s expiration, the switch doesn't
IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
192.168.152.1 00:10:F3:86:C4:7C vlan 1 Gateway 0h 0m 3s
192.168.152.2 00:10:F3:86:C4:7C vlan 1 Dynamic 0h 0m 0s
192.168.152.3 00:10:F3:8B:A4:5F vlan 1 Dynamic 0h 0m 0s
In your output, I see 152.1 and 152.2 use same MAC address, is it correct?
What's the IP of the firewall?
What's the IP of the Switch?
Could you please run command 'show mac-addr-table' and collect the output info?
This is how the high-availability (active/passive) works on Barracuda firewalls. It responds with the MAC address of the active unit, so seeing the same MAC address twice is expected. In case of a failover the units send out a gratitious ARP to inform other components that the MAC will change.
152.2 = Firewall box 1
152.3 = Firewall box 2
152.1 = Virtual IP for the cluster (in my output sample box 1 was active)
As mentioned the switches never expire this ARP entry after a failover for some reason.Everything else on the network does. I have to clear the dynamic ARP and then it's OK
Yes, just as you said: In case of a failover the units will send out a gratitious ARP to inform other components that the MAC will change. And swtich will change ARP table with the new MAC address.
But in your network, looks like switch not refresh the ARP table with new MAC. So could you pelase capture packet on switch(port mirror the port that connected to Firewall) and to check if switch received the gratitious ARP from the firewall?
Below is my test bed, you can see switch ARP table refresh to new MAC once receive the gratitious ARP.
(M4300-48XF) #show arp
Age Time (seconds)............................. 1200
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128
IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a
111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 4m 20s
(M4300-48XF) #show arp
Age Time (seconds)............................. 1200
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128
IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a
111.1.1.2 00:00:00:00:00:11 vlan 1 Dynamic 0h 0m 1s
(M4300-48XF) #We noticed the issue during an unscheduled failover of the firewall and it's in a live production environment so I can't simulate the issue for packet capture so easily I'm afraid. One thing I still notice that is a difference with your lab: Did you test this with the ARP entry that specifically marked as "gateway" address? My gut feeling says that it might be linked to this somehow :)
Also, the rest of the network picks up on this as expected so I would assume that the GARP is being sent out?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
