Hello, I have clusters running with multiple ISP and after a failover in our cluster, we don't have any packet lost..... Gratuitous arp works fine!!.
It sounds to me that the issue is in your ISP router...here some recommendation: 1) you didn't mention, but if your ISP is using a Cisco Router, check if they have "no ip gratuitous-arps", for security reason, sometimes they disable the gratuitous arp. no ip gratuitous-arps To disable the transmission of gratuitous Address Resolution Protocol (ARP) messages for an address in a local pool, use the no ip gratuitous-arps http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_l1 g.html 2)if you have multiple ISP(more than 1 router for internet connection) you can use ask them to use HSRP(Hot Standby Router Protocol) , it use gratuitous arps. I hope this can give you a clue... -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:[email protected]] En nombre de Sergio Alvarez Enviado el: Wednesday, August 11, 2010 10:04 AM Para: [email protected] Asunto: Re: [FW-1] static arp entry at 2 diffent SPLAT boxes Hello, As far as I understand, what you have an active/standby cluster, please let us know if it is something else you are talking about. The way such scenario is supposed to work is, when a failover occurs, the newly active cluster member should send a gratuituous ARP update to all perimeter devices, letting them know they should change their ARP tables and associate the corresponding IPs to the new MAC addresses. I have multiple customers with similar scenarios and a failover never disrupts communications, at least anything session related remains up and running while the first member goes down and the secondary takes charge of the traffic, only having a continuous ping going through the cluster you will see 2 or 4 packets lost, but it does not generate any downtime at all. That said, I believe there is something not working properly in your environment, I have never faced anything as you described, but I hope this info helps you understanding what you see is not expected behavior and change the way you are approaching the issue to find a solution... I'm thinking maybe something on the Internet gateway not being able to handle the ARP updates. Regards On Wed, Aug 11, 2010 at 1:32 AM, a bv <[email protected]> wrote: > Hi, > > Having a 2 FW-1 SPLAT R70 box and sometimes switching from one to the > makes an extra offline time cause of the arp. Cause the internet > gateway device (router, modem etc) has the first fws arp entry, not > the others one and also the new online taken box doesnt know its > gateway devices mac address. So for during the firewall switches what > arp-mac releated things can or must done to minimize the wait time and > problems? > > Regards > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Notice of Confidentiality: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
