No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The problem of USG5320 dual hot standby configuring vrrp vrid nat server

Publication Date:  2012-10-09 Views:  36 Downloads:  1
Issue Description
The DCN region ping internal server ZTE (192.168.41.10), Huawei (192.168.41.20), Bell (192.168.41.30), three servers are in a network segment, there are always one or two servers ping fails, only through deleting it (Such as delete ip address 10.235.120.212 255.255.255.0 sub), and re-write it, but after six or seven hours, appear ping failure again.
Alarm Information
NULL
Handling Process
Customers said that only with one master USG5320, another backup USG5320 was not enabled at the beginning, so it is not considered a hot standby, to test whether the problem is nat server, when it cannot ping the server, to do the test, send free arp packets (nat arp-the gratuitous the send), it  can ping the server after that, and therefore it doubt that the  S3528 of DCN side did not take the initiative to send arp request led to the problem, later login to the S3528 for test, empty the arp (the reset arp), but it indeed send an ARP request, later on, locate the problem on hot standby,
By looking it found that the two firewall nat server global address configured to same one.
USG5320 master
nat server 0 zone untrust global 111.113.42.246 inside 192.168.41.10
nat server 1 zone untrust global 111.113.42.247 inside 192.168.41.20
nat server 2 zone untrust global 111.113.42.248 inside 192.168.41.30
nat server 3 zone softswitch global 10.68.146.246 inside 192.168.41.10
nat server 4 zone softswitch global 10.68.146.247 inside 192.168.41.20
nat server 5 zone softswitch global 10.68.146.248 inside 192.168.41.30
nat server 6 zone iad global 172.16.80.246 inside 192.168.41.10
nat server 7 zone iad global 172.168.80.247 inside 192.168.41.20
nat server 8 zone iad global 172.168.80.248 inside 192.168.41.30
nat server 9 zone dcn global 10.235.120.211 inside 192.168.41.10
nat server 10 zone dcn global 10.235.120.212 inside 192.168.41.20
nat server 11 zone dcn global 10.235.120.213 inside 192.168.41.30
USG5320 slave
nat server 0 zone untrust global 111.113.42.246 inside 192.168.41.10
nat server 1 zone untrust global 111.113.42.247 inside 192.168.41.20
nat server 2 zone untrust global 111.113.42.248 inside 192.168.41.30
nat server 3 zone softswitch global 10.68.146.246 inside 192.168.41.10
nat server 4 zone softswitch global 10.68.146.247 inside 192.168.41.20
nat server 5 zone softswitch global 10.68.146.248 inside 192.168.41.30
nat server 6 zone iad global 172.16.80.246 inside 192.168.41.10
nat server 7 zone iad global 172.168.80.247 inside 192.168.41.20
nat server 8 zone iad global 172.168.80.248 inside 192.168.41.30
nat server 9 zone dcn global 10.235.120.211 inside 192.168.41.10
nat server 10 zone dcn global 10.235.120.212 inside 192.168.41.20
nat server 11 zone dcn global 10.235.120.213 inside 192.168.41.30

And there is no configuration of vrrp vrid, which result in the arp conflicts on 3528.
By modifying the configuration, configured vrrp on interface, and then the the nat server also configured vrrp vrid.
Each server configured with two network cards, it required nat server that the same address mapped to different intranet network card, the host corresponding 192.168.41.10, the same global address corresponding to another NIC address 192.168.41.11 after standby switch. This cannot be realized, change to correspond to one address.

Configuration after modify is in attachment.
Root Cause
The peer device S3528 does not take the initiative to send arp request
Nat server is not configured vrrp vrid
Suggestions
Notice that configure vrrp vrid on nat server when do dual hot standby, and to pay attention to the the server dual NIC problem.

END