[All About Switches] Service Forwarding Fails Due to ARP Entry Fixing on a Switch After a Firewall Upgrade

Latest reply: Mar 9, 2018 13:52:38 1263 1 0 0

Involved Products and Versions

All products and versions

Networking

As shown in Figure 1-1, a VRRP group is configured on SwitchA and SwitchB. SwitchA is the VRRP master device and SwitchB is the VRRP backup device. FWA and FWB work in active/standby mode. FWA is the master device and FWB is the backup device.

Figure 1-1 Networking diagram for the service forwarding failure due to ARP entry fixing on a switch after a firewall upgrade

20180309092425038001.png

 

Fault Symptom

Service forwarding fails after FWA is upgraded.

Cause Analysis

1.       During the upgrade and restart of FWA, FWA becomes the backup device, and FWB becomes the master device. Services are switched to FWB, and the interconnection interface Eth-Trunk3 between SwitchA and FWA goes down. The interconnection interface Eth-Trunk1 between SwitchA and SwitchB learns the virtual IP address of the firewall.

2.       After FWA restarts successfully, FWA becomes the master device again, and FWB becomes the backup device. The interconnection interface Eth-Trunk1 between SwitchA and SwitchB is Up. Because ARP entry fixing is configured on SwitchA, SwitchA determines that the gratuitous ARP packets sent from FWA to SwitchA are attack packets, and fixes the ARP address of the firewall to the interface connected to FWB. As a result, ARP entries cannot be updated to the interface Eth-Trunk3 connected to SwitchA.

Troubleshooting Procedure

                          Step 1     Check the ARP entries learned by SwitchA. It is found that the ARP entries learned by the interconnection interface Eth-Trunk1 are not updated to the interconnection interface Eth-Trunk3 between SwitchA and FWA.

<SwitchA> display arp interface Vlanif 814
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
                                          VLAN/CEVLAN 
------------------------------------------------------------------------------
11.139.69.217   cc53-b5f3-4895            I -         Vlanif814
11.139.69.221   0009-0b29-3e59  13        D-0         Eth-Trunk1
                                           814/-
11.139.69.222  0000-5e00-01fa  20      D-0      Eth-Trunk1
                                           814/-
------------------------------------------------------------------------------
Total:3         Dynamic:2       Static:0     Interface:1   

                          Step 2     Collect statistics on ARP packets. It is found that statistics can be collected on the ARP packets sent from FWA.

<SwitchA> display traffic policy statistics interface eth-trunk3 ibound verbose rule-base  
 
 Interface: Eth-Trunk3
 Traffic policy inbound: test-in
 Rule number: 2
 Current status: OK!
---------------------------------------------------------------------
 Classifier: test-in operator or
 Behavior: test-in
 Board : 8
 rule 5 permit l2-protocol arp destination-mac ffff-ffff-ffff source-mac 0000-5e00-01fa vlan-id 814
 Passed Packet                        26,Passed Bytes                     1,664
 Dropped Packet                        0,Dropped Bytes                        0
 rule 10 permit l2-protocol arp destination-mac cc53-b5f3-4895 source-mac 0000-5e00-01fa vlan-id 814
 Passed Packet                         0,Passed Bytes                         0
 Dropped Packet                        0,Dropped Bytes                        0
 Board : 9
 rule 5 permit l2-protocol arp destination-mac ffff-ffff-ffff source-mac 0000-5e00-01fa vlan-id 814
 Passed Packet                        36,Passed Bytes                     2,304
 Dropped Packet                        0,Dropped Bytes                        0
 rule 10 permit l2-protocol arp destination-mac cc53-b5f3-4895 source-mac 0000-5e00-01fa vlan-id 814
 Passed Packet                         0,Passed Bytes                         0
 Dropped Packet                        0,Dropped Bytes                       0                      0

                          Step 3     Run the debug arp command to check that gratuitous ARP entries are received from FWA. Then check the ARP packets. The system displays an attack alarm.

Jul 10 2017 19:10:45.790.1+08:00 NM1_LU_DS_01 ARP/7/arp_rcv:Receive an ARP Packet, operation : 1, sender_eth_addr : 0000-5e00-01fa, sender_ip_addr : 11.139.69.222, target_eth_addr : 0000-0000-0000, target_ip_addr : 11.139.69.219
Jul 10 2017 19:10:45.790.2+08:00 NM1_LU_DS_01 ARP/7/arp_send:Send an ARP Packet, operation : 2, sender_eth_addr : 0000-5e00-01c9,sender_ip_addr : 11.139.69.219, target_eth_addr : 0000-5e00-01fa, target_ip_addr : 11.139.69.222
Jul 10 2017 19:10:46+08:00 NM1_LU_DS_01 SECE/4/ARP_ENTRY_CHECK:OID 1.3.6.1.4.1.2011.5.25.165.2.2.2.2 Arp entry attack.(SourceInterface=Eth-Trunk3, SourceIP=11.139.69.222, SourceMAC=0000-5e00-01fa, PVLAN=814, CVLAN=0)

                          Step 4     Check that ARP entry fixing is configured on SwitchA. This command applies to scenarios where static IP addresses are configured, no redundant link exists on the network, and users with the same IP address do not access the network through different interfaces.

#
arp anti-attack entry-check fixed-all enable
#

                          Step 5     Run the undo arp anti-attack entry-check enable command to disable ARP entry fixing, and then perform an active/standby firewall switchover. The test result is normal. ARP entries can be updated to the interconnection interface Eth-Trunk3 between SwitchA and FWA, and services are normal.

<SwitchA>  display arp interface Vlanif 814
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
                                          VLAN/CEVLAN 
------------------------------------------------------------------------------
11.139.69.217   cc53-b5f3-4895            I -         Vlanif814
11.139.69.221   0009-0b29-3e59  4         D-0         Eth-Trunk1
                                           814/-
11.139.69.220   0009-0b29-3d2d  9         D-0         Eth-Trunk3
                                           814/-
11.139.69.222  0000-5e00-01fa  13       D-0      Eth-Trunk3
                                           814/-
------------------------------------------------------------------------------
Total:4         Dynamic:3       Static:0     Interface:1  

----End

  • x
  • convention:

Created Mar 9, 2018 13:52:38 Helpful(0) Helpful(0)

:)good
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top