2 sets of E200 firewall run VRRP and backup each other, when the standby E200 firewall’s network side upstream port is up, always will send free arp message, lead to upper layer routers learnt the standby IP and MAC address, make the downstream link business is interrupted.
Add “vrrp VID” in E200’s NAT “nat address-group ”,
NAT address - group 1 126.96.36.199 188.8.131.52 VRRP VID.
Through analysis the message, found when the standby E200 network side port up, the sending interface is real IP’s free arp, at the same time the nat address pool which is in the same network segment with the interface sends free arp, the address 184.108.40.206 in the configured nat address pool is consistent with virtual IP, lead to upper equipment learnt the virtual IP’s free arp. So check the spare E200 configuration, found that it hasn’t brought VRRP parameters when configure NAT addres-group, the nat address pool in two-node cluster hot backup network need to bring the corresponding VRRP id, address pool in the VRRP only the main firewall will send free arp, otherwise the standby firewall will also send arp.