Re: [FW-1] [fw1-wizards] connection works with proxy-arp, but not backup VRRP - Nokia HA p air

Subject: Re: [FW-1] [fw1-wizards] connection works with proxy-arp, but not backup VRRP - Nokia HA p air

From: "<Aaron Reynolds>" <[email protected]>

Date: Mon, 24 Feb 2003 15:28:52 -0700

Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>

Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [fw1-wizards] connection works with proxy-arp, but not backup VRRP - Nokia HA p air

Yeah, unfortunately my upstream switch/router can't handle proxy-arp'd addresses. Both firewalls reply to requests, and the switch/router is only caching one of the replies. This means that traffic for some of my static NAT IP's gets sent to the secondary firewall, which ignores them. Since VRRP backup is now working, my question is "How did proxy-arp work without static routes?". My proxy-arp'd addresses have always used the VMAC, not the interface MAC. I switched to interface MAC temporarily, to see if the switch would behave any different, but it didn't help. Let me know if you have any other input.

-----Original Message-----
From: Steve Edwards [mailto:[email protected]]
Sent: Monday, February 24, 2003 3:20 PM
To: [email protected]
Subject: RE: [fw1-wizards] connection works with proxy-arp, but not backup VRRP - Nokia HA p air

> Because of problems with our switch not handling both primary
> and secondary firewalls responding to arp requests (switch
> would store the last reply only), I was requested to move my
> proxy-arp IPs to backup VRRP IPs.

[snip]

> If I pull it out of the VRRP backup, and create a proxy-arp
> address for it, everything starts working again. Anyone have
> any clues?

Did you use the VRRP MAC address in your proxy ARP in the original configuration?

Given your first comment, I'd guess you used the MAC address of the physical interface in your proxy ARPs ... try changing them to 0:0:5e:0:1:VRRP_ID (and remember, VRRP_ID in the MAC address is hex, whereas the VRRP ID in shown in Voyager is decimal). Check out Resolution 3324 at the Nokia support site for more info.

I understand that others have had some success in setting up multiple backup addresses in lieu of the "standard" proxy ARP + static route for NATs, but the thought of doing that gives me the willies (they're NATs, not shared router interfaces, and I don't trust the OS not to do something peculiar with them).

I have several Nokia HA pairs with lots of NATs and have never had any issues using the VRRP MAC addr in proxy ARPs.

- Steve