Reply

ARP entry for gateway does not expire

fredericallaert
Aspirant

ARP entry for gateway does not expire

We are using Barracuda firewalls in a cluster configurations. Whenever a failover of the cluster occurs, the ARP entry (incidentally also the default gateway for the switch) on the switch never expires, the switch retains the MAC address of the old unit while the rest of the network picks up on the new MAC of the failover unit. Any ideas why the switch would treat the gateway MAC differently, basically ignoring the ARP timeout (despite having set the ARP timeout to the minimum - 15 seconds)?

Model: GSM4352PA|M4300-52G-PoE+ - 48x1G PoE+ Stackable Managed Switch with 2x10GBASE-T and 2xSFP+ (550W PSU)
Message 1 of 8
Retired_Member
Not applicable

Re: ARP entry for gateway does not expire

Hi @fredericallaert 

 

Welcome to Community!

 

Could you please run command 'show arp' and collect the output information?

In my side, it's work fine when I change ARP Age Time to 60s. You can see after about 60s, the ARP entry(111.1.1.2) is removed success.

 

Below is my device output info:

 

(M4300-48XF) #show arp

Age Time (seconds)............................. 60
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a
111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 0m 17s

(M4300-48XF) #

(M4300-48XF) #show arp

Age Time (seconds)............................. 60
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a
111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 0m 57s

(M4300-48XF) #show arp

Age Time (seconds)............................. 60
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 1 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a

(M4300-48XF) #

 

Hope it helps!

 

Regards,

Eric

 

 

Message 2 of 8
fredericallaert
Aspirant

Re: ARP entry for gateway does not expire

Hi Eric,

 

Please find the output below. Nothing peculiar to see in the output, but what you can see is that the "Type" field of the IP-address 152.1 comes back as "gateway" in your output it's not BTW) because it's the default gateway address for the switch.

When the firewall cluster fails over to the secondary unit this MAC address will not expire and keeps trying to reach out to this IP-address on the wrong MAC. Other devices in the network pick up the new MAC address after the 15s expiration, the switch doesn't

 

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
192.168.152.1 00:10:F3:86:C4:7C vlan 1 Gateway 0h 0m 3s
192.168.152.2 00:10:F3:86:C4:7C vlan 1 Dynamic 0h 0m 0s
192.168.152.3 00:10:F3:8B:A4:5F vlan 1 Dynamic 0h 0m 0s

Message 3 of 8
Retired_Member
Not applicable

Re: ARP entry for gateway does not expire

@fredericallaert 

 

In your output, I see 152.1 and 152.2 use same MAC address, is it correct?

What's the IP of  the firewall?

What's the IP of the Switch?

Could you please run command 'show mac-addr-table' and collect the output info?

Message 4 of 8
fredericallaert
Aspirant

Re: ARP entry for gateway does not expire

This is how the high-availability (active/passive) works on Barracuda firewalls. It responds with the MAC address of the active unit, so seeing the same MAC address twice is expected. In case of a failover the units send out a gratitious ARP to inform other components that the MAC will change.

152.2 = Firewall box 1 

152.3 = Firewall box 2

152.1 = Virtual IP for the cluster (in my output sample box 1 was active)

 

As mentioned the switches never expire this ARP entry after a failover for some reason.Everything else on the network does. I have to clear the dynamic ARP and then it's OK

 

Message 5 of 8
Retired_Member
Not applicable

Re: ARP entry for gateway does not expire

@fredericallaert 

 

Yes, just as you said: In case of a failover the units will send out a gratitious ARP to inform other components that the MAC will change. And swtich will change ARP table with the new MAC address.

But in your network, looks like switch not refresh the ARP table with new MAC. So could you pelase capture packet on switch(port mirror the port that connected to Firewall) and to check if switch received the gratitious ARP from the firewall? 

 

Below is my test bed, you can see switch ARP table refresh to new MAC once receive the gratitious ARP.

(M4300-48XF) #show arp

Age Time (seconds)............................. 1200
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a
111.1.1.2 00:00:4A:52:02:2A vlan 1 Dynamic 0h 4m 20s

(M4300-48XF) #show arp

Age Time (seconds)............................. 1200
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Disable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 8C:3B:AD:6A:9D:0B vlan 1 Local n/a
111.1.1.2 00:00:00:00:00:11 vlan 1 Dynamic 0h 0m 1s

(M4300-48XF) #

Message 6 of 8
fredericallaert
Aspirant

Re: ARP entry for gateway does not expire

We noticed the issue during an unscheduled failover of the firewall and it's in a live production environment so I can't simulate the issue for packet capture so easily I'm afraid. One thing I still notice that is a difference with your lab: Did you test this with the ARP entry that specifically marked as "gateway" address? My gut feeling says that it might be linked to this somehow 🙂

Also, the rest of the network picks up on this as expected so I would assume that the GARP is being sent out?

 

Message 7 of 8
Retired_Member
Not applicable

Re: ARP entry for gateway does not expire

@fredericallaert 

 

It's doesn't matter with 'Gateway' remark, just as I didn't set 'IP default-gateway' in my switch.

Now I config this and it also work fine.

So I'm afraid if your switch received the gratuitous ARP realy?

 

(M4300-28G-PoE+) #show arp

Age Time (seconds)............................. 1200
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Enable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 DC:EF:09:D3:2B:AB vlan 1 Local n/a
111.1.1.2 00:00:4A:52:02:2A vlan 1 Gateway 0h 0m 46s

(M4300-28G-PoE+) #show arp

Age Time (seconds)............................. 1200
Response Time (seconds)........................ 1
Retries........................................ 4
Cache Size..................................... 760
Dynamic Renew Mode ............................ Enable
Total Entry Count Current / Peak .............. 2 / 2
Static Entry Count Configured / Active / Max .. 0 / 0 / 128

IP Address MAC Address Interface Type Age
--------------- ----------------- -------------- -------- -----------
111.1.1.1 DC:EF:09:D3:2B:AB vlan 1 Local n/a
111.1.1.2 00:00:00:00:00:11 vlan 1 Gateway 0h 0m 1s

(M4300-28G-PoE+) #

 

 

Also, the ARP Age Time work fine as below:

1. Set ARP Age Time to 120s;

2. Switch learning Gateway ARP table success; 

3. Then set Gateway not reply ARP packet, after about 120s, the Gateway ARP table is removed success;

ARP table.png

 

For further analysis,Could you please provide the tech-support file of the Switch:

How do I send tech-support files from my Managed Switch to NETGEAR community moderators?

https://kb.netgear.com/31439/How-do-I-send-diagnostic-files-from-my-Managed-Switch-to-NETGEAR-commun...

Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 1728 views
  • 0 kudos
  • 2 in conversation
Announcements