No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

primary/secondary firewall did not associate nat pool with vrrp result in business interrupted

Publication Date:  2012-09-19 Views:  2 Downloads:  0
Issue Description
Two USG5300,primary/secondary hot standby networking,open nat function,when we draw public network netting twine of the secondary firewall,service blackout.
nat pool configuration is 
nat address-group 1 220.230.XXX.XXX  220.230.XXX.XXX

Alarm Information
none
Handling Process
1 view dialog alarm and session list,no abnormal
2 packet capturing in secondary firewall public network interface,when problems happen,control process of message Interactive, found that public interface of secondary firewall is up,sent free arp messages with address pool,cause upper router learn wrong mac address
3 because nat pool address is the same as vrrp virtual address,so this free arp message may base on nat pool sent,and also may sent by vrrp virtual address。
4 look for configure nat parts in handbook,associate nat address pool with vrrp from public network interface (nat address-group 1220.230.XXX.XXX  220.230.XXX.XXX vrrp 20)
After verification,the problem have been solved. Means that,this free arp was based on nat pool address,belong to production normal disposal,and after secondary firewall binding with vrrp process,secondary firewall do not sent free arp message anymore。

Root Cause
primary/secondary firewall did not associate nat pool with vrrp, result in when public interface of secondary firewall is up,sent free arp messages with address pool,cause upper router learn wrong mac address,and guide public network traffic to secondary firewall,thereby halt business
Suggestions
primary/secondary hot standby networking,use nat function,should binding address pool with vrrp process

END