ZyWALL not sending gratuitous ARP on WAN for NAT addresses after failover
we have two ZyWALL 1100 with HA Pro in the datacenter. From the provider, we get two uplinks. We publish the servers over 1:1 NAT.
Gateway (ISP): 184.108.40.206/24
WAN IP (ZyWALL): 220.127.116.11/24
NAT IP: 18.104.22.168/24, 22.214.171.124/24, 126.96.36.199/24 and so on
The NAT IPs are only used on NAT rules and not configured as secondary IPs on WAN interface.
The problem is that on failover the secondary firewall does not send out GARP packets for the NAT IPs. Therefore the switch of the ISP does not know that he has to send packets to the port of the secondary firewall. This means that the servers are not reachable from the Internet until they initiate a connection on their own.
Is this a known problem? Is there a workaround? Should we configure the NAT IPs as IP Aliases of WAN?
Thank you for your help!
Hello again,I have to correct myself. It was wrong thinking: the switch does only store MAC and port in its ARP table, not the IP. So one GARP from the WAN interface will suffice.The problem seems to be that the firewall does not send one GARP after failover. Can this be confirmed?0
Hi @Zyxel_CanThe WAN type is static IP (Ethernet).0
Can you share some information with us;
1- Can you share your topology with us for HA setup?
2- Can you share your config file with me by private message?
3- Can you capture packets from WAN interface when you perform HA failover and send to me by private message?(Maintenance > Diagnostics > Packet Capture > Capture)
Hi @Zyxel_Can,thank you for your response. This is the topology:I will send you the configuration by private message. I'm not able to send you packet captures at the moment, but I will try to make it happen.0
I have the same problem in datacenter, have you find some solutions? ( https://community.zyxel.com/en/discussion/12338/ha-atp-problem-1-1-nat-no-reacheable/p1?new=1 )0
No, I couldn't find a solution yet. We have postponed further diagnosis because we got firmware update problems too with the ZyWALL 1100 with Device HA and we got offered a good deal for two FLEX 700. In the next months we will migrate our configuration and replace the devices.I hoped the problems would be gone with firmware version 5 of the FLEX but you are using ATPs which are also on firmware version 5.But I appreciate your post, I did not notice that it could be that only 1:1 NAT is affected. I will have a look at that when we take the next test.0
Thanks for the reply,
we check with datacenter and this is the result:
"Dear Customer,following the checks, we found that from a show arp on our interfaces there are many IPs connected to the same mac address (*.*.8ce1), this has changed since the last clear arp performed by us, before the mac address was. 3aa9.Let's imagine that on this mac address are the firewall interfaces to which the IP that does NAT are associated, if correct on which IP address?The problem could lie here when your Firewalls take charge of the IP on which you do NAT with a different mac address (based on ownership of the HA cluster), and until our ARP table is updated with the mac address correct (8ce1(ATP800-1) or 3aa9(ATP800-2)) you encounter the reachability problem.The fact that a clear arp is needed to resolve the ARP resolution seems to indicate that when a failover occurs, the ARP request with the new mac address does not arrive.As also suggested by you, you should do a pcap after a failover to check if the IP on which you NAT is updated in our ARP table.The NOC SUPERNAP Italia remains available for further clarifications.Cordially,"it seems that firewalls do not send ARP Announcement, when failover.Now we have to carry out a test to verify the arp sending,thank you0
- 7.9K All Categories
- 1.6K Nebula
- 60 Nebula Ideas
- 54 Nebula Status and Incidents
- 4.3K Security
- 222 Security Ideas
- 960 Switch
- 45 Switch Ideas
- 862 WirelessLAN
- 20 WLAN Ideas
- 5.2K Consumer Product
- 137 Service & License
- 268 News and Release
- 94 Success Stories
- 53 Security Advisories
- 11 Education Center
- 573 FAQ
- 273 Nebula FAQ
- 132 Security FAQ
- 73 Switch FAQ
- 72 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Nebula Monthly Express
- 70 About Community
- 44 Security Highlight