Failing to Ping the Virtual Address of the Firewall Interface

Publication Date:  2013-05-17 Views:  202 Downloads:  0
Issue Description
The Eudemon 1000E-U/X is deployed in active/standby mode. FW_A is the active device. A user can ping the actual address of the Eudemon 1000E-U/X interface from a PC through a switch successfully, but fails to ping the virtual address of the interface. On the Eudemon 1000E-U/X, ping the PC while specifying the source address in the command. The actual address can be pinged successfully while the virtual address cannot be pinged. 
Alarm Information
None
Handling Process
1. Configure packet capture on the mirroring port of SW5300_A. Mirror the ports that are connected to FW_A and SW5300_B to the port that is connected to the PC, and capture packets on the PC. The packet capturing result shows that only ARP requests are available while ARP responses are unavailable. In addition, no packet with VLAN tags is captured.

2. The debugging information on FW_A shows that FW_A responded the ARP requests. No ARP response packet is captured. Statistics of the interconnected FW_A port and SW5300_A port show that, when an ARP request is sent, the FW_A port sends a unicast packet and the SW5300_A port receives a unicast packet. At this moment, only ARP and VRRP packets exist on the network. The ARP request packet is a broadcast packet and the VRRP packet is a multicast packet. It can be determined that FW_A has sent an ARP response packet. The downstream port of SW5300_A, however, did not count it.

3. Remove the SW5300, and directly connect a PC to FW_A. The virtual address can be pinged successfully. This means that the SW5300 discarded the ARP response packet.

4. FW_A communicates with the SW5300 through the sub-interface, which sends and receives packets with VLAN tags. The network adapter driver of the PC does not identify packets with VLAN tags, so no packets are captured.

5. Switch to the sub-interface of the firewall and test again. The test succeeds.
Analysis of the captured packets shows that three broadcast packets (from two mirroring ports and one original port) are captured, two ICMP request packets (from the mirroring FW_A port and the original port) to FW_A and two ICMP response packets from FW_A are captured, and only one ARP response packet (from the mirroring FW_A port) is captured.
The test succeeded because FW_A returned an ARP response packet. Though SW5300_A did not forward the packet to the PC, the PC still received the packet due to port mirroring.
Root Cause
None
Suggestions
None

END