Article URL

http://kb.juniper.net/KB7102

Synopsis

How do I configure the NetScreen to accept the gratuitous ARPs from my other vendor's product?

Problem

Environment:

  • F5 BigIP
  • redundant
  • Transparent mode


Symptoms & Errors:

  • NetScreen device isn't accepting gratuitous
  • ARPs from my 3rd party device ARP table shows the MAC of the failed unit

 

 

Solution

 

Situation: The NetScreen device (running in transparent mode) is connected to 3rd party devices which are set up in an active-passive or active-failover redundant configuration. 

Problem: When the primary 3rd party device fails over and the backup becomes the active device, the NetScreen does not appear to be accepting the gratuitous ARP or is not updating the ARP table.  A check of the NetScreen ARP table still shows the MAC address of the failed unit instead of the new MAC address.

Solution: 
To test the situation, confirm the current state of the NetScreen device by issuing the CLI command "get arp" and "get mac-learn".  Next, issue the CLI command "clear arp" and/or "clear mac-learn".  Check the ARP and MAC tables again. 

Is the new MAC displayed? 

Yes, but why did this happen?  The NetScreen device performs stateful inspection.  Any active session will continue to use the stored MAC/IP address until the session is complete and the entry has timed out.  If the primary device fails over, the MAC of the primary device will remain in the ARP table until the session and the entry has timed out.  The issuing of the "clear arp" forced the ARP table to be cleared/empty.  When the next packet arrived no entry is available in the forwarding table; causing the NetScreen to send out an ARP request to obtain the MAC/IP info.  The backup device's MAC was then populated in the ARP table.

How do I resolve this situation without having to issue the "clear" commands?  Check to see if the 3rd party device supports configuring a virtual MAC in a redundant environment.  Some vendors implement VRRP, others implement their own scheme (such as MAC masquerading).    For redundant environments, the use of a virtual MAC will alleviate the issue of learning the new MAC. 

 

 

 

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec ×××
By Product » Software » Network Operating Systems » ScreenOS Software » 5.0.x » 5.0.0
By Product » Software » Network Operating Systems » ScreenOS Software » 4.0.x » 4.0.3
By Product » Software » Network Operating Systems » ScreenOS Software » 4.0.x » 4.0.2
By Product » Software » Network Operating Systems » ScreenOS Software » 4.0.x » 4.0.0

Purpose

Troubleshooting