Because the problem of the address pool configuration lead to service disconnect.

Publication Date:  2012-09-22 Views:  297 Downloads:  0
Issue Description
The network as the picture ,two firewall do the two-node cluster hot backup to protect the internal network user to access external network.All the internal network users use private network which has been transformed by NAT on the firewall to access public network,The address pool of firewall configuration and export address are the same network segment.After finishing the configuring ,we can find all the traffic of service inflood backup equipment lead the service disconnect.
Alarm Information
None.
Handling Process
Step 1   check the VRRP state of export og two firewall
Executing the command of display vrrp interface to check the VRRP state of export on the active firewall,display as follows:
<Sysname> display vrrp interface Ethernet 0/0/0
Ethernet 0/0/0  |  Virtual Router 1
state          :   Master
Virtual IP     :   13.13.13.1
Virtual MAC    :   0000-5e00-0101
Primary IP     :   13.13.13.2
Config Prior   :   110
Run Prior      :   110
Preempt        :   YES   Delay Time : 0
Timer          :   1
Auth type      :   NONE
Executing the command of display vrrp interface to check the VRRP state of export on the standby firewall,display as follows:
<Sysname> display vrrp interface Ethernet 0/0/0
Ethernet 0/0/0  |  Virtual Router 1
state          :   Slave
Virtual IP     :   13.13.13.1
Virtual MAC    :   0000-5e00-0101
Primary IP     :   13.13.13.3
Config Prior   :   100
Run Prior      :   100
Preempt        :   YES   Delay Time : 0
Timer          :   1
Auth type      :   NONE
We can find there is no problem of VRRP configuration on the export of two firewall by the display information above,excluding reason 1.
Step 2 check the configuration of address pool
Checking the configuration of address pool on the active firewall ,display the configuration as follows:
[Sysname] nat address-group 1 13.13.13.4 13.13.13.10 vrrp 10
There is no problem of the address pool configuration of active firewall .
Checking the configuration of address pool on the standby firewall ,display the configuration as follows:
[Sysname] nat address-group 1 13.13.13.4 13.13.13.10
The reason is the address pool of stanby firewall don’t configure the number of VRRP backup group  by the configuration information above.
Step 3  executing the command of nat address-group 1 13.13.13.4 13.13.13.10 vrrp 10 on the standby firewall and the fault has been cleaned away after testing.

Root Cause
Because the backup will lead the traffic stream by itself in the network.The probability reason is the problem of VRRP configuration.Accidence affirmance reasons as follows:
Reason 1:the problem of VRRP configuration at the export of two firewall
Reason 2:the address poolof two firewall don’t configure VRRP
Suggestions
The network service fault is because of the NAT address pool of firewall doesn’t configure VRRP ID ,it will lead the active and stanby firewall respond ARP request to external equipment ,so the ARP of external equipment NAT address may learn from standby firewall and  send the message to standby firewall by mistake. The frondose process of communication as follows:
External equipment request ARP message of the address in the NAT address pool,it is broadcast message and will transmit to active and standby firewall by switch or other equipment.
When the address in the address pool and export address are not in the same network segment and the external user access the address in the address pool,it will find the address which is need to access by checking the route ,the address pool cannot take the VRRP ID parameter.
As the active and standby have been configured the same NAT address pool,and the NAT address pool of standby doesn’t configure VRRP ID parameter,it will lead when the active and standby receive the ARP request message by external network equipment ,it will deal with by ARP request.
When the external network equipment receive the ARP request of atcive earlier than  the ARP request of standby ,it will make ARP message to be the ARP of backup (but we need use the ARP response of active to learn normally),it will lead the service message which is from external network equipment to NAT address has been send to standby and the VRRP state of export is standby ,it cannot transmit message.The servic will disconnect.
Certainly there may be this instance:
When the external network equipment receive the ARP request of standby earlier than  the ARP request of active ,it will make ARP message to be the ARP of active,the traffic of service can communicate normally,but the ARP message will update for a while,it will lead the fault which has been appeared in this example. so we shoul configure VRRP ID at active and standby when we configure the address pool

END