How to fix NAT arp issue base on HRP and VFW

Publication Date:  2013-03-19 Views:  407 Downloads:  0
Issue Description
Customer  have some problems configuring virual servers static NAT over VRRP interfaces.
Customer  have 2 Eudemon 1000E-x Firewalls configured in Dual-System hot backup mode and with HRP and VRRP backup groups on each interface.
The problem is that when we configure any NAT on those interfaces, each Firewall is sending an ARP reply saying that the IP belongs to him, so the computers behind the firewalls receives the ARP reply packets with the MAC addres of the phisycal address of each firewall instead of receivin an unique reply from the firewall that is in active mode with the MAC address of the virtual IP .
Customer  have checked that the VRRP instance is working ok and the firewalls are in active and standby mode as configured.
Alarm Information
As below


Handling Process
Here config the VRRP virtual Ip 194.30.84.5
interface GigabitEthernet0/0/7.1
vlan-type dot1q 8
alias OutsideVirtualFW1
ip binding vpn-instance virtualfw1
ip address x.x.x.x x.x.x.x
vrrp vrid 6 virtual-ip x.x.x.x slave
vrrp vrid 6 authentication-mode simple versia
ipsec policy versia_ipsec auto-neg
#

And when config

nat server 11 vpn-instance virtualfw1 zone untrust protocol tcp global x.x.x.x.x any inside x.x.x.x any vpn-instance virtualfw1
nat server 12 vpn-instance virtualfw1 zone untrust protocol tcp global x.x.x.x any inside x.x.x.x any vpn-instance virtualfw1
nat server 13 vpn-instance virtualfw1 zone untrust protocol tcp global x.x.x.x any inside x.x.x.x any vpn-instance virtualfw1
nat server 65 vpn-instance virtualfw1 zone untrust protocol tcp global x.x.x.x any inside x.x.x.x any vpn-instance virtualfw1
…………………

Need add vrrp vrid into this configuration, can solve this issue.

nat server 11 vpn-instance virtualfw1 zone untrust protocol tcp global xx.x.x any inside xx.x.x any vrrp 6 vpn-instance virtualfw1
nat server 12 vpn-instance virtualfw1 zone untrust protocol tcp global xx.x.x any inside xx.x.xany vrrp 6 vpn-instance virtualfw1
nat server 13 vpn-instance virtualfw1 zone untrust protocol tcp global xx.x.x any inside xx.x.xany vrrp 6 vpn-instance virtualfw1
nat server 65 vpn-instance virtualfw1 zone untrust protocol tcp global xx.x.x any inside xx.x.xany vrrp 6 vpn-instance virtualfw1

Root Cause
NAT configuration didn't bind to VRRP vrid.
Suggestions
Null

END