ZyWALL not sending gratuitous ARP on WAN for NAT addresses after failover

mkr
mkr Posts: 6  Freshman Member
Hello,

we have two ZyWALL 1100 with HA Pro in the datacenter. From the provider, we get two uplinks. We publish the servers over 1:1 NAT.

Example:
Gateway (ISP): 1.1.1.1/24
WAN IP (ZyWALL): 1.1.1.2/24
NAT IP: 1.1.1.10/24, 1.1.1.11/24, 1.1.1.12/24 and so on

The NAT IPs are only used on NAT rules and not configured as secondary IPs on WAN interface.

The problem is that on failover the secondary firewall does not send out GARP packets for the NAT IPs. Therefore the switch of the ISP does not know that he has to send packets to the port of the secondary firewall. This means that the servers are not reachable from the Internet until they initiate a connection on their own.

Is this a known problem? Is there a workaround? Should we configure the NAT IPs as IP Aliases of WAN?

Thank you for your help!

All Replies

  • mkr
    mkr Posts: 6  Freshman Member
    Hello again,

    I have to correct myself. It was wrong thinking: the switch does only store MAC and port in its ARP table, not the IP. So one GARP from the WAN interface will suffice.

    The problem seems to be that the firewall does not send one GARP after failover. Can this be confirmed?
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Hi @mkr,

    What is the type of your WAN IP?(DHCP/Static IP/PPPoE) ?
  • mkr
    mkr Posts: 6  Freshman Member

    The WAN type is static IP (Ethernet).
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee

    Hi @mkr,

     

    Can you share some information with us;

     

    1-    Can you share your topology with us for HA setup?

    2-    Can you share your config file with me by private message?

    3-    Can you capture packets from WAN interface when you perform HA failover and send to me by private message?

    (Maintenance > Diagnostics > Packet Capture > Capture)

  • mkr
    mkr Posts: 6  Freshman Member

    thank you for your response. This is the topology:

    I will send you the configuration by private message. I'm not able to send you packet captures at the moment, but I will try to make it happen.
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Hi @mkr,

    I can see GARP requests with your configuration applied.

    Can you also provide me captured packets as well?

  • Omnia
    Omnia Posts: 20  Freshman Member
    I have the same problem in datacenter, have you find some solutions? ( https://community.zyxel.com/en/discussion/12338/ha-atp-problem-1-1-nat-no-reacheable/p1?new=1 )
  • mkr
    mkr Posts: 6  Freshman Member
    No, I couldn't find a solution yet. We have postponed further diagnosis because we got firmware update problems too with the ZyWALL 1100 with Device HA and we got offered a good deal for two FLEX 700. In the next months we will migrate our configuration and replace the devices.

    I hoped the problems would be gone with firmware version 5 of the FLEX but you are using ATPs which are also on firmware version 5.

    But I appreciate your post, I did not notice that it could be that only 1:1 NAT is affected. I will have a look at that when we take the next test.
  • Omnia
    Omnia Posts: 20  Freshman Member
    Thanks for the reply, 
    we check with datacenter and this is the result:

    "Dear Customer,

    following the checks, we found that from a show arp on our interfaces there are many IPs connected to the same mac address (*.*.8ce1), this has changed since the last clear arp performed by us, before the mac address was. 3aa9.

    Let's imagine that on this mac address are the firewall interfaces to which the IP that does NAT are associated, if correct on which IP address?

    The problem could lie here when your Firewalls take charge of the IP on which you do NAT with a different mac address (based on ownership of the HA cluster), and until our ARP table is updated with the mac address correct (8ce1(ATP800-1) or 3aa9(ATP800-2)) you encounter the reachability problem.

    The fact that a clear arp is needed to resolve the ARP resolution seems to indicate that when a failover occurs, the ARP request with the new mac address does not arrive.

    As also suggested by you, you should do a pcap after a failover to check if the IP on which you NAT is updated in our ARP table.

    The NOC SUPERNAP Italia remains available for further clarifications.

    Cordially,"


    it seems that firewalls do not send ARP Announcement, when failover.

    Now we have to carry out a test to verify the arp sending,

    thank you

Security Highlight