Use USG3000 to replace live network equipment ,it will lead service can't be passed as ARP of upstream equipment unaging

Publication Date:  2012-09-22 Views:  226 Downloads:  0
Issue Description
After USG3000 replacing live network peer vendor equipment:
Internal network cannot access Internet;
Internal network can ping the internal interface and external interface of USG3000 successfully,but cannot ping the upstream equipment of USG3000;
USG3000 can ping upstream equipment.
Alarm Information
None.
Handling Process
Open the IP debug switch (debugging ip packet acl xxxx),we can find  that the USG3000 has been send the message to upstream equipment,but the upstream equipment doesn’t respond,firewall has estanblished session,and the NAT switch is normal:
Configure nat outbound at local and untrust area,the symptom is the same.
Using IP address of address pool to add slave IP address on the USG3000 ,Because the USG3000 send the free ARP message of this IP address ,it makes upstream equipment ARP list update ,the service come back to normal.
Root Cause
Because the ARP list of upstream equipment of USG3000 isn’t aging,the IP address of NAT address pool corresponding MCA address also is the MAC address of peer vendor equipment, it leads service cannot be passed.
Suggestions
When we use USG firewall to replace live network equipment ,if internal network cannot ping upstream equipment of firewall, it may bt the upsrteam equipment doesn’t update.we can use the command of nat arp-gratuitous send to trigger firewall to send nat address pool and free ARP message of nat server on the upstream equipment cleaning ARPlist or firewall corresponding interface view.

END