Does CSS answer arp request to VIP addresses?

Unanswered Question
Nov 9th, 2006

It seems that CSS doesn?t answer arp requests for the VIP addresses it has configured. I wasn?t able yet to sniffer the traffic in order to confirm this suspicion but the fact is that I have to add a static route destined to the VIP address in a Firewall-1 that is before the CSS11150 to make things work. The Firewall-1 and the CSS have interfaces in the same IP network and the static route added in Firewall-1 has the a real IP address of the CSS as its gateway.

Does it make any sense that CSS doesn?t answer arp requests for VIP addresses?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Fri, 11/10/2006 - 01:16

the CSS does answer arp request for vip address.

It will respond with its own physical address or virtual mac address if you have configured redundancy.

Are you sure the vip address is part of the subnet ?

No arp request are sent for addresses outside the subnet.


csco10306685 Fri, 11/10/2006 - 11:39


first of all, thank you very much for your response. Well, I'm not sure if understood your question so I can?t assure whether vip address is part of the subnet or not. Anyway, if you could take a look at the configuration of my CSS maybe you can identify it. The vip address is and the ip address of Firewall-1 is There?s a circuit vlan1 with ip address In another subnet ( resides the server for which CSS directs traffic that comes to vip address. Here is the config of my CSS:

!************************** CIRCUIT ***********

circuit VLAN1


description "Rede 1"

ip address

circuit VLAN3


description "VLAN 3 - DMZ X"

ip address

circuit VLAN4


description "VLAN 4 - DMZ XPTO"

ip address

circuit VLAN8

description "HeartBeat"

ip address


!************************** SERVICE **************************

service XPTO

ip address

keepalive type tcp

keepalive port 25


!*************************** OWNER ***************************

owner SMTP

content SMTP

vip address

add service XPTO

protocol tcp

port 25


!*************************** GROUP ***************************

group SMTP

vip address

add service XPTO


Gilles Dufour Sun, 11/12/2006 - 00:14

The css should answer for arp request sent in vlan 1 for the vip address. No need of static route.

Capture a sniffer trace in this vlan to verify that the arp request comes in [to force a request, clear the arp entry on the firewall].

If you don't want to disrupt traffic, attach a pc in vlan 1 and try to access the vip.

Take a sniffer trace on the same pc.


csco10306685 Mon, 11/13/2006 - 16:24

I took a sniffer trace as you recommended and I could see that CSS answer arp requests for vip addresses. Well, I will continue investigating why the static route in the firewall is necessary. If I get anything new, I will let you know.

Thank you very much for you help.


This Discussion