Hello everyone,
Today I will share with you service forwarding fails due to ARP entry fixing on a switch after a firewall upgrade.
Involved Products and Versions
All products and versions
Networking
As shown in Figure 1-1, a VRRP group is configured on SwitchA and SwitchB. SwitchA is the VRRP master device and SwitchB is the VRRP backup device. FWA and FWB work in active/standby mode. FWA is the master device and FWB is the backup device.
Figure 1-1 Networking diagram for the service forwarding failure due to ARP entry fixing on a switch after a firewall upgrade.
Fault Symptom
Service forwarding fails after FWA is upgraded.
Cause Analysis
1. During the upgrade and restart of FWA, FWA becomes the backup device, and FWB becomes the master device. Services are switched to FWB, and the interconnection interface Eth-Trunk3 between SwitchA and FWA goes down. The interconnection interface Eth-Trunk1 between SwitchA and SwitchB learns the virtual IP address of the firewall.
2. After FWA restarts successfully, FWA becomes the master device again, and FWB becomes the backup device. The interconnection interface Eth-Trunk1 between SwitchA and SwitchB is Up. Because ARP entry fixing is configured on SwitchA, SwitchA determines that the gratuitous ARP packets sent from FWA to SwitchA are attack packets, and fixes the ARP address of the firewall to the interface connected to FWB. As a result, ARP entries cannot be updated to the interface Eth-Trunk3 connected to SwitchA.
Troubleshooting Procedure
Step 1 Check the ARP entries learned by SwitchA. It is found that the ARP entries learned by the interconnection interface Eth-Trunk1 are not updated to the interconnection interface Eth-Trunk3 between SwitchA and FWA.
Step 2 Collect statistics on ARP packets. It is found that statistics can be collected on the ARP packets sent from FWA.
Step 3 Run the debug arp command to check that gratuitous ARP entries are received from FWA. Then check the ARP packets. The system displays an attack alarm.
Step 4 Check that ARP entry fixing is configured on SwitchA. This command applies to scenarios where static IP addresses are configured, no redundant link exists on the network, and users with the same IP address do not access the network through different interfaces.
Step 5 Run the undo arp anti-attack entry-check enable command to disable ARP entry fixing, and then perform an active/standby firewall switchover. The test result is normal. ARP entries can be updated to the interconnection interface Eth-Trunk3 between SwitchA and FWA, and services are normal.
That is all I want to share with you! Thank you!
