Do you know...?? (ARP and PIX-525)

Unanswered Question
Dec 3rd, 2008

Hi,I ask if sameone knows where a can get information or if this is not the way a think.


I have a PIX-525 and two server linux. This server linux have there own ip addres and there own mac address, they are instaled in a failover squeme. So one (the active linux) stay inservice with other ip address with his mac address. When the active linux stay down the standby linux became active and he inherits the ip address of the active linux but he has there own mac address. The linux standby that becames active send gratuitous arp packet to update the table.


I'am going to attach same topology about this.

If you see there you have one virtual server that is the active server with te max with xx at the end. This xx will be replace with 99 and 98.


Thanks.


King Regards.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bwilmoth Wed, 12/10/2008 - 11:31

Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network



Farrukh Haroon Sun, 12/14/2008 - 03:11

What is your question exactly? Different failover mechanisms work in different ways. Cisco (HSRP/RRP), ASA, NSRP (Netscreen), Linux, SUN etc. Infact on UNIX multiple implementations are available.


Regards


Farrukh

evucinovich Mon, 12/15/2008 - 05:31

Well, let see. There is no question. I have this topology, with same linux in failover that are conected directly with same pix-525 and when the linux in failover switchover ir only mantein the ip address but the mac-address change. The pix does not accept gratuitous-arp that tells the new mac-address of the linux server in failover. Do you know if this beavior is correct?? There is samething that i can do in a way to fix this problem?? The Pix-525 have a 6.3.5 version. Thanks a lot.


King Regards.

Elias.


Farrukh Haroon Mon, 12/15/2008 - 06:08

You can do this in Multiple ways:


a) Reduce the arp timeout on the PIX firewall to something much lower like 1 minute (I think the default is 5 minutes).


b) Introduce a new L3 device in the middle which supports grat. ARPs.


c) Change you linux HA mechanism to use a Virtual MAC-Address or any other different scheme to remove reliance on Grat. ARPs.


Regards


Farrukh

Actions

This Discussion