No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Directly Connected Hot Standby Devices Cannot Communicate

Publication Date:  2015-10-13 Views:  107 Downloads:  0
Issue Description
After hot standby is configured, intranet users cannot access the Internet. FW1 cannot ping through the IP address (for example, 192.168.2.253) of an intranet PC.

Handling Process
Step 1 Check interface configurations.

Check the configuration of GE0/0/2 on FW1.

interface GigabitEthernet0/0/2
ip address 192.168.3.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.2.254 255.255.255.252 master

Check the configuration of GE0/0/2 on FW2.

interface GigabitEthernet0/0/2
ip address 192.168.3.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.2.254 255.255.255.252 slave

Step 2 Check ARP entries.

Ping 192.168.1.2 on FW1.

HRP_M[USG2200]ping 192.168.2.253
12:51:51  2015/03/31
PING 192.168.2.253: 56  data bytes, press CTRL_C to break

Request time out
Request time out
Request time out
Request time out
Request time out

--- 192.168.1.2 ping statistics ---

5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
View ARP entries on FW1. The ARP entry to the peer is displayed, and the corresponding interface is GE0/0/2, which is correct.

HRP_M[USG2200] display arp interface GigabitEthernet 0/0/2
13:23:48  2015/03/31
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
192.168.3.2     0000-002a-b302            I           GE0/0/2
192.168.2.253   4c1f-ccfa-35ef  19        D           GE0/0/2
------------------------------------------------------------------------------
Total:2         Dynamic:1       Static:0    Interface:1

View ARP entries on the switch. The ARP entry to the peer is displayed.

[SW1-Vlanif1]display arp interface Vlanif 1
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE
VLAN
------------------------------------------------------------------------------
192.168.2.253   4c1f-ccfa-35ef            I -  Vlanif1
192.168.2.254   0000-5e00-0101  18        D-0  GE0/0/1
1
------------------------------------------------------------------------------
Total:2         Dynamic:1       Static:0     Interface:1

Step 3 Capture packets on the firewall.

Capture packets during the ping operation. The result is as follows:



The information shows that the sent and received ping packets have different MAC addresses. The source MAC address of sent ping packets is the real MAC address 0000-002a-b202. The MAC address in the packet replied by the switch is the virtual MAC address 0000-5e00-0101. The packet cannot match the session table and is therefore discarded.
Root Cause
The packet sent from the firewall uses the MAC address of the interface, but the interface IP address and virtual IP address are in different network segments. The next-hop address of the matching route found by the switch in its routing table is the virtual IP address of the firewall when replying to the packet. Therefore, the switch sends a packet in reply to the virtual IP address, corresponding to the virtual MAC address. The firewall, however, cannot match the packet with any entry in the session table and then discards the packet.
Solution
Enable the virtual MAC function on the interface.

interface GigabitEthernet0/0/2
vrrp virtual-mac enable
Suggestions
When real and virtual IP addresses are on different network segments, enable the virtual MAC function. In this manner, the firewall uses the virtual MAC address to encapsulate ping packets sent to others.

END