XS3800 needed manual ARP flush after gateway MAC changed
Today I changed the interfaces used by our main firewall to connect to our network, moving from a 1Gbps ethernet port to a 10Gbps SFP+ port but . The firewall is a FortiGate 100F, its ethernet and SFP+ interfaces are connected to a XGS1930 which is connected (via DAC) to the core switch XS3800.
The pic represent a logic schema of my network:
XS3800 is the default gateway for VLAN 1848, 100F is the default gateway for all the other VLANs. 100F ETH and SFP+ were both connected to VLAN 849, but only ETH was configured.
During the maintenance window, I removed the config from ETH interface and then replicated it on the SFP+. As soon as I applied the new config to the 100F, all the devices in the VLANs 849, 1153 and 1152 were able to communicate with each other and to the internet. Instead, devices inside VLAN 1848 were able to talk just with devices in the same broadcast domain and in VLAN 849 except for the 100F.
After some debugging I found that only the XS3800 was unable to communicate with the 100F (and vice-versa). XS3800 ARP table was still showing the MAC address of the 100F ethernet interface instead of the SFP+ one, while the XGS1930 was showing the correct one. So I manually flushed the whole ARP in the XS380 and core switch and firewall were able to talk each other again.
I did expect the ARP table of the XS3800 to update itself without having to flush it manually, just like any other device in the network did. I also know that unplug/plug the SFP+ calbe on the 100F or XGS1930 would have did the trick, but the maintenance window was finished and, well, it still should have done it automatically!!
Does anyone have had similar problems? We are planning to make the XS3800 both core switch and main gateway for our infrastructrue (leaving the 100F just as gateway/IPS to Internet) but such problem does not make us comfortable to take such a decision.
The firmware on XS3800 is V4.80(ABML.2), on XGS1930 is V4.70(ABHT.6).
All Replies
-
Hi @ale992
After conducting a thorough investigation into your issue, we've determined that your XS3800 is connected to the XGS1930. The XS3800 is not directly linked to the FortiGate, but rather to the XGS1930.
When the Ethernet cable is not disconnected and only the interface configuration is changed, the ARP info will not change or automatically flush on XS3800 since no link down. Consequently, it will continue to ping that IP address. This behavior appears to be normal.
The ARP table undergoes aging every 5 minutes, thus if the ARP table remains unchanged after this period, kindly assist us by collecting the technical support files from both of your switches (XS3800 and XGS1930) while you encounter the issue again. You can send these files to us via private msg. Additionally, please provide the specific time when the event occurred. This information will enable us to delve into the issue more effectively.
For detailed instructions on how to gather the tech support files, you can refer to this article:
Kay
0
Zyxel Employee
Categories
- All Categories
- 396 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 86 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 916 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 912 Nebula FAQ
- 419 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
