OK, then only way I can think to minimize downtime due to a required MAC address change in the ARP table of the Internet router is keep a console session open on that router before switching boxes and run a "clear arp" command on it right after the change, that way you force the router to find all required MAC addresses to fill the ARP table at that very moment and use the new firewall MAC.
On Thu, Aug 12, 2010 at 12:55 AM, a bv <[email protected]> wrote: > Hi, > > The boxes are independent , not clustered. While switching, only the > network cables of the online one then plugged in to the other one for > switching. and the internet gateway device is reported to be Cisco > 3750-G. > > Regards > > 2010/8/11, Oscar Esquivel <[email protected]>: > > Hello, I have clusters running with multiple ISP and after a failover in > > our cluster, we don't have any packet lost..... > > Gratuitous arp works fine!!. > > > > It sounds to me that the issue is in your ISP router...here some > > recommendation: > > > > > > 1) you didn't mention, but if your ISP is using a Cisco Router, check if > > they have "no ip gratuitous-arps", for security reason, sometimes they > > disable the gratuitous arp. > > > > no ip gratuitous-arps > > To disable the transmission of gratuitous Address Resolution Protocol > > (ARP) messages for an address in a local pool, use the no ip > > gratuitous-arps > > http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_l1 > > g.html > > > > > > 2)if you have multiple ISP(more than 1 router for internet connection) > > you can use ask them to use HSRP(Hot Standby Router Protocol) , it use > > gratuitous arps. > > > > > > I hope this can give you a clue... > > > > > > > > > > -----Mensaje original----- > > De: Mailing list for discussion of Firewall-1 > > [mailto:[email protected]] En nombre de Sergio > > Alvarez > > Enviado el: Wednesday, August 11, 2010 10:04 AM > > Para: [email protected] > > Asunto: Re: [FW-1] static arp entry at 2 diffent SPLAT boxes > > > > Hello, > > > > As far as I understand, what you have an active/standby cluster, please > > let > > us know if it is something else you are talking about. > > > > The way such scenario is supposed to work is, when a failover occurs, > > the > > newly active cluster member should send a gratuituous ARP update to all > > perimeter devices, letting them know they should change their ARP tables > > and > > associate the corresponding IPs to the new MAC addresses. > > I have multiple customers with similar scenarios and a failover never > > disrupts communications, at least anything session related remains up > > and > > running while the first member goes down and the secondary takes charge > > of > > the traffic, only having a continuous ping going through the cluster you > > will see 2 or 4 packets lost, but it does not generate any downtime at > > all. > > > > That said, I believe there is something not working properly in your > > environment, I have never faced anything as you described, but I hope > > this > > info helps you understanding what you see is not expected behavior and > > change the way you are approaching the issue to find a solution... I'm > > thinking maybe something on the Internet gateway not being able to > > handle > > the ARP updates. > > > > Regards > > > > On Wed, Aug 11, 2010 at 1:32 AM, a bv <[email protected]> wrote: > > > >> Hi, > >> > >> Having a 2 FW-1 SPLAT R70 box and sometimes switching from one to the > >> makes an extra offline time cause of the arp. Cause the internet > >> gateway device (router, modem etc) has the first fws arp entry, not > >> the others one and also the new online taken box doesnt know its > >> gateway devices mac address. So for during the firewall switches what > >> arp-mac releated things can or must done to minimize the wait time and > >> problems? > >> > >> Regards > >> > >> Scanned by Check Point Total Security Gateway. > >> > >> ================================================= > >> To set vacation, Out-Of-Office, or away messages, > >> send an email to [email protected] > >> in the BODY of the email add: > >> set fw-1-mailinglist nomail > >> ================================================= > >> To unsubscribe from this mailing list, > >> please see the instructions at > >> http://www.checkpoint.com/services/mailing.html > >> ================================================= > >> If you have any questions on how to change your > >> subscription options, email > >> [email protected] > >> ================================================= > >> > >> Scanned by Check Point Total Security Gateway. > >> > > > > > > > > -- > > Sergio Alvarez > > CISSP | CCSE+ > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > Notice of Confidentiality: > > > > The information contained in this communication is intended solely for > the > > use of the individual or entity to whom it is addressed and others > > authorized to receive it. It may contain confidential or legally > privileged > > information. If you are not the intended recipient you are hereby > notified > > that any disclosure, copying, distribution or taking any action in > reliance > > on the contents of this information is strictly prohibited and may be > > unlawful. If you have received this communication in error, please notify > us > > immediately by responding to this email and then delete it from your > system. > > > > Scanned by Check Point Total Security Gateway. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > Scanned by Check Point Total Security Gateway. > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
