05-09-2018 07:41 AM - edited 03-05-2019 10:25 AM
Hi All,
We are facing issue with arp.
ARP is not getting updated on one of the internet router.
Scenario
We have 2 firewalls in cluster connected to 2 Internet routers. When doing FW fail over arp in not getting updated on primary internet router however no issues with secondary router.
Topology: Firewall connected to L2 Switch (3750) & from switch internet routers are connected.
Please advise/suggest what can checked in this case
05-09-2018 07:52 AM
Wouldn't traffic change direction when doing failover? Therefore routing tables/arp entries would only populate on the active router and not the standby router?
Thanks,
Matt
05-09-2018 08:16 AM
our active router is primary one on which arp is nt getting updated. & whn arp is not getting updated bgp neigborship is going down & traffic is divertng to secondary
05-09-2018 08:40 AM
Hello,
which routers do you have, and which IOS ?
05-09-2018 08:46 AM
cisco 3945. not sure of ios both have same ios
05-09-2018 09:02 AM
Hello,
without having seen your configs, check if you might be hitting the bug below:
Box to Box NAT / GARP not sent by the Primary Router after taking the Active role
CSCvf21090
Description
Symptom:
The NAT failover works fine and the Secondary NAT box takes up active role when the Primary NAT box crashes/reloads, however the failback does not work as expected.
When the Active router comes back up it performs BULK_SYNC and moves to Active role, however does not generates any GARP to update the mac address on the connected device thus even though the Primary router is Active the ARP for the NATTED ip still points to the Standby Routers mac address on the host devices.
Conditions:
Box to Box NAT redundancy configuration.
This issue is not seen on the older 15.4(3)M1 version, however its seen on almost all version post this release.
Workaround:
The issue is not seen on the 15.4(3)M1 release.
Further Problem Description:
Primary Router:
==============
redundancy
application redundancy
group 1
name CAS-NAT
preempt
priority 100 failover threshold 50
timers delay 0 reload 60
control GigabitEthernet0/0 protocol 1
data GigabitEthernet0/0
asymmetric-routing interface GigabitEthernet0/0
asymmetric-routing always-divert enable
ip nat inside source static 192.168.96.125 170.8.244.2 redundancy 1 mapping-id 102
ip nat inside source static 192.168.96.65 170.8.244.3 redundancy 1 mapping-id 103
show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 170.8.244.1 - 0007.b421.0064 ARPA GigabitEthernet0/3
Internet 170.8.244.2 - c471.feca.2e83 ARPA GigabitEthernet0/3
Internet 170.8.244.3 - c471.feca.2e83 ARPA GigabitEthernet0/3
Secondary Router:
===============
redundancy
application redundancy
group 1
name CAS-NAT
preempt
priority 90
timers delay 0 reload 60
control GigabitEthernet0/0 protocol 1
data GigabitEthernet0/0
asymmetric-routing interface GigabitEthernet0/0
asymmetric-routing always-divert enable
ip nat inside source static 192.168.96.125 170.8.244.2 redundancy 1 mapping-id 102
ip nat inside source static 192.168.96.65 170.8.244.3 redundancy 1 mapping-id 103
show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 170.8.244.2 - 8843.e118.6708 ARPA GigabitEthernet0/0/0
Internet 170.8.244.3 - 8843.e118.6708 ARPA GigabitEthernet0/0/0
Host device:
===========
DEMO-FIREWALL#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 170.8.244.1 0 0007.b421.0064 ARPA Vlan50
Internet 170.8.244.2 4 c471.feca.2e83 ARPA Vlan50
Internet 170.8.244.3 4 c471.feca.2e83 ARPA Vlan50
The Above arp pointing to Primary Router.
After the Primary router is down, it points to the Standby because of the GARP received from Standby Router:
*Apr 24 00:11:43.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/47, changed state to down
*Apr 24 00:11:44.450: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/47, changed state to down
*Apr 24 00:11:45.184: IP ARP: rcvd rep src 170.8.244.2 8843.e118.6708, dst 170.8.244.2 Vlan50
*Apr 24 00:11:45.184: IP ARP: rcvd rep src 170.8.244.3 8843.e118.6708, dst 170.8.244.3 Vlan50
show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 170.8.244.2 0 8843.e118.6708 ARPA Vlan50
Internet 170.8.244.3 0 8843.e118.6708 ARPA Vlan50
After the Primary Router cameup as active , the ARP on Host device still pointing to Standby:
DEMO-FIREWALL#
*Apr 24 00:13:54.802: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/47, changed state to down
*Apr 24 00:13:55.804: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/47, changed state to down
*Apr 24 00:13:56.186: IP ARP: rcvd rep src 170.8.244.2 8843.e118.6708, dst 170.8.244.2 Vlan50
*Apr 24 00:13:56.187: IP ARP: rcvd rep src 170.8.244.3 8843.e118.6708, dst 170.8.244.3 Vlan50
*Apr 24 00:13:58.187: IP ARP: rcvd rep src 170.8.244.2 8843.e118.6708, dst 170.8.244.2 Vlan50
*Apr 24 00:13:58.187: IP ARP: rcvd rep src 170.8.244.3 8843.e118.6708, dst 170.8.244.3 Vlan50
*Apr 24 00:13:58.332: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/47, changed state to up
*Apr 24 00:13:59.333: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/47, changed state to up
*Apr 24 00:14:25.185: IP ARP: rcvd rep src 170.8.244.251 c471.feca.2e83, dst 170.8.244.251 Vlan50
*Apr 24 00:14:25.193: IP ARP: rcvd rep src 170.8.244.251 c471.feca.2e83, dst 170.8.244.251 Vlan50
*Apr 24 00:14:25.575: IP ARP: rcvd rep src 170.8.244.251 c471.feca.2e83, dst 170.8.244.251 Vlan50
*Apr 24 00:14:34.677: IP ARP: rcvd rep src 170.8.244.251 c471.feca.2e83, dst 170.8.244.251 Vlan50
*Apr 24 00:14:34.945: IP ARP: rcvd rep src 170.8.244.2 c471.feca.2e83, dst 170.8.244.2 Vlan50
*Apr 24 00:14:34.946: IP ARP: rcvd rep src 170.8.244.3 c471.feca.2e83, dst 170.8.244.3 Vlan50
*Apr 24 00:14:34.946: IP ARP: rcvd rep src 170.8.244.2 8843.e118.6708, dst 170.8.244.2 Vlan50
*Apr 24 00:14:34.946: IP ARP: rcvd rep src 170.8.244.3 8843.e118.6708, dst 170.8.244.3 Vlan50
*Apr 24 00:14:34.947: IP ARP: rcvd rep src 170.8.244.251 c471.feca.2e83, dst 170.8.244.251 Vlan50
*Apr 24 00:14:58.148: IP ARP: rcvd rep src 170.8.244.2 c471.feca.2e83, dst 170.8.244.2 Vlan50
*Apr 24 00:14:58.148: IP ARP: rcvd rep src 170.8.244.3 c471.feca.2e83, dst 170.8.244.3 Vlan50
*Apr 24 00:14:58.149: IP ARP: rcvd rep src 170.8.244.2 8843.e118.6708, dst 170.8.244.2 Vlan50
*Apr 24 00:14:58.149: IP ARP: rcvd rep src 170.8.244.3 8843.e118.6708, dst 170.8.244.3 Vlan50
*Apr 24 00:15:07.219: IP ARP: rcvd rep src 170.8.244.1 0007.b421.0064, dst 170.8.244.1 Vlan50
show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 170.8.244.2 5 8843.e118.6708 ARPA Vlan50
Internet 170.8.244.3 5 8843.e118.6708 ARPA Vlan50
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide