The Virtual Address of the Firewalls Could Not Be Pinged Because the MAC Address Was Incorrect

Publication Date:  2015-07-03 Views:  232 Downloads:  0
Issue Description
Network Topology:

Two USGs were deployed in active/standby mode. FW-A is the active device and FW-B the standby. The PC connected to the switch was able to ping the physical addresses of the USG interfaces, but not the virtual address. The ping with source IP address from the physical address of the USG to the PC was successful, but the ping from the virtual address to the PC failed.

Figure 4-7 Networking diagram

Handling Process
1. Packet mirroring was configured on SW5300_A so that the packets on the interfaces connected to FW-A and SW5300_B were mirrored to the interface connected to the PC and packets were captured on the PC. However, the PC received only ARP requests and did not receive any ARP reply or packet with a VLAN tag. The information in Figure 4-8 indicated that the no ARP reply from FW-A was received.

Figure 4-8 Analysis of the packets on the switch

2. The debugging output on FW-A indicated that FW-A replied to the ARP requests. However, the PC did not receive any ARP reply. The statistics on the FW-A interface connected to SW5300_A and SW5300_A interfaces indicated that the FW-A interface unicast the ARP request and SW5300_A interface received a unicast packet. Only ARP and VRRP packets were transmitted on the network. ARP requests were broadcast and VRRP packets were multicast. Therefore, FW-A replied to the ARP requests, but SW5300_A did not send the replies to the PC.

3. After the SW5300 switches were removed from the network, the ping to the virtual IP address succeeded. Therefore, it can be concluded that the ARP replies are discarded by the SW5300 switches.

4. FW-A used subinterfaces to send and receive packets. Such packets must carry a VLAN tag. However, the network adapter of the PC cannot recognize packets with a VLAN tag. Therefore, the packets cannot be captured on the PC.

5. The firewall interfaces instead of subinterfaces were used to send and receive packets. The packets were captured, as shown in Figure 4-9.

Figure 4-9 Captured firewall packets

Three copies (one original copy, two mirrored copies) of broadcast packets were received, two copies (one original copy, one copy mirrored from the interface connected to FW-A) of ICMP requests sent to USG_A and the ICMP replies sent from FW-A were captured, but only one copy (the copy mirrored from the interface connected to FW-A) of ARP replies were received.

FW-A replied to the ARP requests, but W5300_A did not forward the ARP replies to the PC. The PC received a copy of ARP replies because the replies were mirrored to the PC.
 The sender MAC address in the ARP reply of the USG was the virtual MAC address, but the source MAC address of the ARP reply was the physical MAC address.

 SW5300 was unable to handle ARP replies whose sender MAC address is not the same as the source MAC address. This is a known issue of SW5300 and a patch is available to fix the problem.