MAC address binding causes the server not accessible

Publication Date:  2013-08-31 Views:  177 Downloads:  0
Issue Description

As diagram depicts above, USG2200 access ISP1 and ISP2.  ISP1 is the primary link, and ISP2 is stand-by. The problem is that when the primary link is down, client cannot access server 40.x.x.69 through ISP2.
Alarm Information
Handling Process
1. Check the policy between internal and ISP2, there is no rule to filter 40.x.x.69;
2. There are two primary route and stand-by route. If ISP1 link is down, the route via ISP2 will be effective.
 ip route-static 41.x.x.65
 ip route-static 39.x.x.49 preference 100
3. Shutdown the link between USG2200 and ISP1, and then trace the route from USG2200 to serve 40.x.x.69, the result is as below:

The trace log shows that the packets arrvied ISP1, which indicates that the route between ISP1 and ISP2 has no problem.
4. Checking configuration on USG2200, found abnormal configuration for 40.x.x.69:
firewall mac-binding 41.x.x.69 0006-xxxx-fc97 
Because of the MAC binding on USG2200, and 0006-xxxx-fc97 is MAC address of  ISP1 router. If packets reply from server to USG2200 via ISP2, the MAC address will be changed by ISP2. And the packets will be dropped on USG2200 because the MAC address which has been changed by ISP2 router cannot match the MAC binding on USG2200  
 5. Confirm with customer that the MAC biding configured before, but it's not updated when network is changed.
Root Cause
This problem may be the following reasons:
1. The policy interzone is incorrect
2. The route configuration on USG2200 is wrong
3. The route between ISP1 and ISP2 is not right
4. Incorrect configuration on USG2200
1. When there are multi-link to internet, better not to configure mac binding;
2. When network changes, the configuration should be checked and updated.