No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Because Eudemon 300 without configuring VRRP ID lead to master FW NAT service interruption

Publication Date:  2012-10-25 Views:  108 Downloads:  0

Issue Description

Overseas an office site report that the NAT service will interrupt after 20 ~ 30 minutes on Eudemon300 VRRP system, only can through the reset system to restore, but after 30 minutes of recovery the service interrupt again. FL can only through constantly change firewall to maintain service clear.

Alarm Information


Handling Process

Notice the FL that add the correct VRRP ID to all the Nat address and Nat Server configuration. After observe one day, do not happen Nat service interruption again, and problem solved.
nat address-group 1 office vrrp 250 vpn-instance office
nat server zone vpn-instance aaa_nat untrust protocol tcp global www inside www vrrp 32 vpn-instance aaa_nat

Root Cause

Through inspect two firewall configuration, find that in the master firewall, Nat address and Nat Server are all without VRRP parameter. Such as:
nat address-group 1 office vpn-instance office  
nat server zone vpn-instance aaa_nat untrust protocol tcp global
www inside www vpn-instance aaa_nat                                
In VRRP, message will ask the ARP of NAT address, if don't take VRRP ID, the master reply to the ARP response, so that the problems happened. only when NAT address and interface in the same network segment will request ARP, if not in the same segment, inquires the next hop, can only request next hop ARP address, won't have problems.
after take VRRP ID parameter will judge the relationship between master and slave, only the master can do ARP response.
Specific in the interface on choose which VRRP ID to use, mainly to see which interface address is in the same network segment to NAT address, and use that interface VRRP ID, if not in the same network segment will not need to bring VRRP ID, this is mainly in order to avoid learning ARP error.