Does CSS answer arp request to VIP addresses?

Unanswered Question
Nov 9th, 2006

It seems that CSS doesn?t answer arp requests for the VIP addresses it has configured. I wasn?t able yet to sniffer the traffic in order to confirm this suspicion but the fact is that I have to add a static route destined to the VIP address in a Firewall-1 that is before the CSS11150 to make things work. The Firewall-1 and the CSS have interfaces in the same IP network and the static route added in Firewall-1 has the a real IP address of the CSS as its gateway.

Does it make any sense that CSS doesn?t answer arp requests for VIP addresses?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Gilles Dufour Fri, 11/10/2006 - 01:16

the CSS does answer arp request for vip address.

It will respond with its own physical address or virtual mac address if you have configured redundancy.

Are you sure the vip address is part of the subnet ?

No arp request are sent for addresses outside the subnet.

Gilles.

csco10306685 Fri, 11/10/2006 - 11:39

Gilles,

first of all, thank you very much for your response. Well, I'm not sure if understood your question so I can?t assure whether vip address is part of the subnet or not. Anyway, if you could take a look at the configuration of my CSS maybe you can identify it. The vip address is 200.152.40.29 and the ip address of Firewall-1 is 200.152.40.1. There?s a circuit vlan1 with ip address 200.152.40.231/24. In another subnet (10.121.0.0/23) resides the server for which CSS directs traffic that comes to vip address. Here is the config of my CSS:

!************************** CIRCUIT ***********

circuit VLAN1

redundancy

description "Rede 1"

ip address 200.152.40.231 255.255.255.0

circuit VLAN3

redundancy

description "VLAN 3 - DMZ X"

ip address 10.121.2.231 255.255.255.0

circuit VLAN4

redundancy

description "VLAN 4 - DMZ XPTO"

ip address 10.121.0.231 255.255.254.0

circuit VLAN8

description "HeartBeat"

ip address 172.16.1.1 255.255.255.0

redundancy-protocol

!************************** SERVICE **************************

service XPTO

ip address 10.121.0.29

keepalive type tcp

keepalive port 25

active

!*************************** OWNER ***************************

owner SMTP

content SMTP

vip address 200.152.40.29

add service XPTO

protocol tcp

port 25

active

!*************************** GROUP ***************************

group SMTP

vip address 200.152.40.29

add service XPTO

active

Gilles Dufour Sun, 11/12/2006 - 00:14

The css should answer for arp request sent in vlan 1 for the vip address. No need of static route.

Capture a sniffer trace in this vlan to verify that the arp request comes in [to force a request, clear the arp entry on the firewall].

If you don't want to disrupt traffic, attach a pc in vlan 1 and try to access the vip.

Take a sniffer trace on the same pc.

Gilles.

csco10306685 Mon, 11/13/2006 - 16:24

I took a sniffer trace as you recommended and I could see that CSS answer arp requests for vip addresses. Well, I will continue investigating why the static route in the firewall is necessary. If I get anything new, I will let you know.

Thank you very much for you help.

Actions

Login or Register to take actions

This Discussion

Posted November 9, 2006 at 4:21 PM
Stats:
Replies:4 Avg. Rating:
Views:302 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 1,551
2 369
3 333
4 228
5 212
Rank Username Points
5