Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
929
Views
0
Helpful
3
Replies

CSS VIPs use old MAC address after firewall failover

telehealthtech
Level 1
Level 1

‎02-15-2011 12:13 PM

We have our CSS load balancers behind our firewalls in a DMZ and when the firewall fails over the physical interface changes the MAC address to the new address of the now active firewall but the VIP's do not and all traffic to those VIPs are broken. Has anyone experienced an issue like this before? Any help would be appreciated.

Thanks.

Labels:
0 Helpful
3 Replies 3

guyp
Cisco Employee
Cisco Employee

‎02-15-2011 10:08 PM

I understand you have CSS load balancers behind firewalls in a DMZ,  could you clarify what interface changes the MAC address  to the new address of the now active firewall after firewall failover? are you expecting VIPS failing over too?

If firewall failed over, depends on types of firewall, for some firewall, mac will change, new Active Firewall sends a 'gratituous' arp which makes the neighboring devices to save the new mac address of the Active firewall with the ip address. It seems to be your case. If for some reason, that is not happening (gratituous arp missing), it could cause issues like VIPS on CSS broken.

The failover of the firewall should be transparent to CSS VIPS. Did you take a capture to see what is happening? did CSS receive requests properly? is CSS load balance to server properly?

If you require CSS failover when firewall failover, then you can define critical service (layer 3) or critical physical interface(layer 2), and if that detect link to firewall down, then it could fail over.


0 Helpful

telehealthtech
Level 1
Level 1
In response to guyp

‎02-16-2011 01:36 PM

The firewalls are Checkpoint running in HA mode. When the firewalls failover the MAC address changes to the interface of the now active firewall's interface. The firewall's IP stays the same. The CSS does not failover. The CSS physcial interface see's the new MAC address and the ARP table changes as it should. The problem is that the CSS VIPs ARP table holds the old MAC and connectivity is broken to those VIP addresses from the firewall. Cisco tech recommended changing the ARP default timeout from 4 hours to 60 seconds but the CSS admin said that one time after a failover he left this not working all day and no change in the VIP's ARP table. I hope I explained this clearly. Any help would be appreciated.

0 Helpful

guyp
Cisco Employee
Cisco Employee
In response to telehealthtech

‎02-16-2011 02:33 PM

try  configuring "no ip no-implicit-service" on the CSS. Also make sure ICMP from the CSS

to the firewall's are not blocked.reload CSS after that is configured. 

After that change, new flows should work. Existing flows may still fail until it timeed out.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card