Overseas an office site report that the NAT service will interrupt after 20 ~ 30 minutes on Eudemon300 VRRP system, only can through the reset system to restore, but after 30 minutes of recovery the service interrupt again. FL can only through constantly change firewall to maintain service clear.
Notice the FL that add the correct VRRP ID to all the Nat address and Nat Server configuration. After observe one day, do not happen Nat service interruption again, and problem solved.
nat address-group 1 office 22.214.171.124 126.96.36.199 vrrp 250 vpn-instance office
nat server zone vpn-instance aaa_nat untrust protocol tcp global 188.8.131.52 www inside 10.77.5.71 www vrrp 32 vpn-instance aaa_nat
Through inspect two firewall configuration, find that in the master firewall, Nat address and Nat Server are all without VRRP parameter. Such as:
nat address-group 1 office 184.108.40.206 220.127.116.11 vpn-instance office
nat server zone vpn-instance aaa_nat untrust protocol tcp global 18.104.22.168
www inside 10.77.5.71 www vpn-instance aaa_nat
In VRRP, message will ask the ARP of NAT address, if don't take VRRP ID, the master reply to the ARP response, so that the problems happened. only when NAT address and interface in the same network segment will request ARP, if not in the same segment, inquires the next hop, can only request next hop ARP address, won't have problems.
after take VRRP ID parameter will judge the relationship between master and slave, only the master can do ARP response.
Specific in the interface on choose which VRRP ID to use, mainly to see which interface address is in the same network segment to NAT address, and use that interface VRRP ID, if not in the same network segment will not need to bring VRRP ID, this is mainly in order to avoid learning ARP error.