No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Because Eudemon 300 without configuring VRRP ID lead to master FW NAT service interruption

Publication Date:  2012-10-25 Views:  37 Downloads:  0
Issue Description
Overseas an office site report that the NAT service will interrupt after 20 ~ 30 minutes on Eudemon300 VRRP system, only can through the reset system to restore, but after 30 minutes of recovery the service interrupt again. FL can only through constantly change firewall to maintain service clear.
Alarm Information
none
Handling Process
Notice the FL that add the correct VRRP ID to all the Nat address and Nat Server configuration. After observe one day, do not happen Nat service interruption again, and problem solved.
nat address-group 1 office 188.112.192.37 188.112.192.46 vrrp 250 vpn-instance office
nat server zone vpn-instance aaa_nat untrust protocol tcp global 188.112.192.13 www inside 10.77.5.71 www vrrp 32 vpn-instance aaa_nat
Root Cause
Through inspect two firewall configuration, find that in the master firewall, Nat address and Nat Server are all without VRRP parameter. Such as:
nat address-group 1 office 188.112.192.37 188.112.192.46 vpn-instance office  
nat server zone vpn-instance aaa_nat untrust protocol tcp global 188.112.192.13
www inside 10.77.5.71 www vpn-instance aaa_nat                                
In VRRP, message will ask the ARP of NAT address, if don't take VRRP ID, the master reply to the ARP response, so that the problems happened. only when NAT address and interface in the same network segment will request ARP, if not in the same segment, inquires the next hop, can only request next hop ARP address, won't have problems.
after take VRRP ID parameter will judge the relationship between master and slave, only the master can do ARP response.
Specific in the interface on choose which VRRP ID to use, mainly to see which interface address is in the same network segment to NAT address, and use that interface VRRP ID, if not in the same network segment will not need to bring VRRP ID, this is mainly in order to avoid learning ARP error.
Suggestions
none

END