No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

when the server switch over the vitual IP to the slave one, it can’t ping

Publication Date:  2018-02-28 Views:  119 Downloads:  0
Issue Description

 

Networking topology:

Server1 IP address is 192.168.254.208
Server2 IP address is 192.168.254.207
Vitual IP address is 192.168.254.215
PC1: 10.2.2.2

When the vitual IP is on the server 1. The vitual IP can ping from the PC1

When the vitual server is on server2, it can't ping from PC1 but can ping from the LSW the ARP table is update on the lsw, the new interface is 1/0/24

 



 

 

Handling Process

1. Customer can't ping vitual server when it is on slave from PC1, the ARP table is update on the LSW.
2. Check the ARP table in the gateway. Customer told us the gateway in the firewall. Find when the server switch over. The vitual ARP can't be learned.
3. Open the arp debug find the arp is receive

 

4. But he arp still can't be learned. Check the FW log
  %2018-01-15 18:04:03 Stafford-Firewall-Master %%01SEC/4/ATCKDF(l): AttackType="Arp spoof attack", slot="0", receive interface="Vlanif10 ", proto="ARP", src="192.168.254.215:0 ", dst="192.168.254.1:0 ", begin time="2018-01-15 18:03:34", end time="2018-01-15 18:03:34", total packets="1", max speed="0", User="", Action="discard".

5. Check the FW configuration we cconfigure the arp-spoofing. It will not learn the arp by other devices send to the FW. It only allow the FW send the arp to detect.

6. Undo firewall defend arp-spoofing enable sovle the issue

 

Root Cause

Because we configure the arp-spoofing. It only let the FW send the arp to learn. In the server send the arp scene. It have the issue. We need to disable this command

Suggestions

 

Undo firewall defend arp-spoofing enable

 

END