Active/Standby Intranet Server Switchover Fails Due to ARP Spoofing Attack Defense

Publication Date:  2015-07-03 Views:  349 Downloads:  0
Issue Description
Networking:



As shown in the firewall, hot standby is implemented between firewalls, between switches, and between servers. The firewalls provide the NAT server function. 

Symptom:

The test on active/standby server switching shows that public network devices cannot access the intranet server after the active/standby server switching. However, the intranet server becomes accessible again when the service switches over to the previous active server.

The active/standby server switching is implemented by removing the cable between SRV-1 and SW-1.
Handling Process
Check server configurations. It is found that the server configuration is correct. Connect a PC to SW-1 and then perform active/standby server switching. The PC can access services by the private server address, which indicates that the switch is working properly.

Check the firewall configuration. It is found that the firewall configuration is correct.

Consult server R&D engineers to understand the active/standby server switching mechanism. SRV-1 and SRV-2 share a virtual address. The MAC address corresponding to the virtual address varies according to the servers. During the active/standby server switching, the active server sends a gratuitous ARP packet to refresh the ARP entries on other devices.

Check the ARP entries on the two firewalls and PC. The MAC address in the ARP entry learned from the server is A1-A2-A3. After active/standby server switching is performed, the ARP entries on the firewalls remain unchanged, but the MAC address in the ARP entry on the PC becomes B1-B2-B3 (the MAC address of SRV-2). The firewalls, however, do not refresh their ARP entries.

Check the firewall configuration. The firewall defend arp-spoofing enable command is run on the firewall. It is suspected that packets are identified as ARP spoofing attack packets. Check the logs on the firewall. No ARP spoofing attack log exists.

Check the ARP spoofing attack defense mechanism. When ARP spoofing attack defense is enabled on a firewall, the firewall does not learn or refresh gratuitous ARP entries or report attacks. Instead, the firewall compares its non-gratuitous ARP entries with learned ones. If these entries are inconsistent, the firewall reports attack logs.

Delete the firewall defend arp-spoofing enable command configuration and implement active/standby server switching. Then check the ARP entries on the firewall. The ARP entries are refreshed, and public network devices can access the intranet servers.
Root Cause
After ARP spoofing attack defense is enabled on the firewall, the firewall does not learn or refresh gratuitous ARP entries and cannot sense active/standby server switching. As a result, server services are inaccessible after the active/standby server switching.
Solution
Disable ARP spoofing attack defense when gratuitous ARP packets are required for service switching.

END