Hi Varun,

Thanks for your quick response

I wasn't able to access second document but yes as per first document I am aware of this all.

I am still not clear with my query

Actually I am looking for this answer from past couple of months but couldn't find a solution how secondry unit take over Primary unit IP address and Mac address in backend. We don't configure it virtually on any of the unit, its takes physical IP address of the primary device.

this document tell me how to configure failover, requirements , what are the commands to test failover.

I've got my primary unit with internal IP 192.168.0.1, my secondary unit has IP 192.168.0.41.  External IPs are 208.x.x.34 and 208.x.x.147, respectively.  DMZ IPs are 172.16.100.1, and 172.16.100.2 respectively.  Then there is the failover link that was 192.168.1.1 and 192.168.1.2 respectively.

I'm monitoring the outside, inside, and DMZ interfaces on the firewalls.  If the outside, inside, or DMZ interface on the primary unit fails, the secondary unit will start responding to all traffic of the primary unit (it does so by assuming the IPs and MAC addresses of the primary unit's interfaces).  When I want to test failover, I log into my primary firewall and do a reload, which will fail my primary firewall as it reboots and things are automatically taken over by my secondary firewall.  For your first test, I would wait for a maintenance window in case you don't have things set quite properly and have an interruption.

Wat exact issue are you trying to troubleshoot?? And why do you need this info?? This would help us understand better. Both the devices in failover have have the active unit ip and standby unit ip learnt in , along with their respective arp entries. So whenver Standby detects that the active device has gone down , there is an ip address and arp address change, it takes the ip address and the arp entry of the primary unit (active unit) and becomes active.

In Active/Standby failover, the MAC addresses for  the primary unit are always associated with the active IP addresses. If  the secondary unit boots first and becomes active, it uses the burned-in  MAC address for its interfaces. When the primary unit comes online, the  secondary unit obtains the MAC addresses from the primary unit. The  change can disrupt network traffic.

So imf you can explain the purpose, why you need to know, may be there is something else for it.

Thanks,

Varun

Hi Varun,

Actually someone asked this question from me in an Interview couple of months back, so thought to get the clarification on this.

Hope you can give more clarity on this now.

Thanks

Hi Rajesh,

The primary arps for the secondary failover IP address.Then the secondary sends a reply to the primary firewall. So once there is a reply form the secondary firewall we would see control messages being exchanged between the devices.

Basically these control messages are the heartbeats, if in any case due to some reason standby device doesn’t get this message both the device will go in active state.

When a unit does not receive three consecutive hello messages on the failover link, the unit sends interface hello messages on each interface, including the failover interface, to validate whether or not the peer interface is responsive. The action that the security appliance takes depends upon the response from the other unit

After the arp request and response is complete between the two firewalls, the primary firewall sends a gratutious arp messages. The purpose of this message is to poison the entry in the next hop switch i.e the switch will create a mac entry in it mac address table that to reach this mac address you have to use the port on which you receive the gratuitous arp.

Now whenever a failover happens due to any reason, or if you make the secondary unit active by the command failover4 active,  the failover mac address is shifted from the previous active unit to the new active unit as soon as it gets the mac address it will send gratitious arp over all its interface.This gratuitous arp packet will poison the next hop switch with a new entry in its mac address table. Now in the switch mac table entry points to the port from where it can reach the active unit. So this way the switch will direct the packets using the new entry which it has learned through the gratuitous arp.

This is the complete mechanism of failover  that happens, hope this is what the interviewer and you were looking for .  Let me know if this helps you.

Thanks,

Varun

Thanks and I sincerely appreciate your reply...

No Problem, but did that still not answer your question?? The best way to understand this would be practical, and you would be better able to co-relate things with what I mentioned above, you would be able to see the interfaces exchanging and requesting for arp entries with the help of captures on the failover link and be assured this is the only backend operation that you would find.

Thanks,

Vraun