topic Re: arp entry on virtual router in General Topics

arp entry on virtual router

jdprovine — Wed, 08 Aug 2018 13:01:25 GMT

We experienced a loss of routing of two virtual server and their arp to IP information had to be added to a virtual router to get it to route. Any ideas how this could occur?

Re: arp entry on virtual router

BPry — Wed, 08 Aug 2018 13:32:41 GMT

@jdprovine,

Certain servers/services require static ARP entires to maintain their entry in the ARP cache, however the use of static ARP is declining. In my experiance load-balancers, application delivery controllers, and generally anything that uses a lot of VIP entries are canidates for this sort of configuration.

As for how it happened; the ARP cache cleared the mapping for those two servers. Creating a static mapping simply creates a static ARP table entry so that whatever IP you entered will always map to that MAC address.

Re: arp entry on virtual router

jdprovine — Wed, 08 Aug 2018 13:35:41 GMT

@BPry

What I am trying to do is rule out the PA as what is causing the issue. I would say by adding it to a virtual router on the PA is just doing routing that another part of the network should be doing and the PA is not the cause

Re: arp entry on virtual router

BPry — Wed, 08 Aug 2018 13:45:53 GMT

@jdprovine,

Just to verify; when you say you added it into the VR, you really mean interface configuration right? The VR doesn't hold the static ARP entries, this would be something you configure on the interface configuration.

As for what actually caused the issue it could have been the PA, but it really wouldn't have been the PAs fault if you weren't told it needed a static ARP entry. Usually if you are configuring a static ARP entry on the firewall, it would also be configured on your core switches. Everything needs to have the same ARP entry otherwise things will break.

So on my network for example we need a static ARP entry for our OWA VIP, without it our users can't access OWA. So lets say that VIP has a MAC address of 00:11:22:33:44:55 and it maps to 10.191.1.111; that means I have a static ARP entry on my Core switches along with the interface on the PA so that the traffic can actually route correctly. If I take the static ARP off either my Cores or the PA I can't route to that VIP anymore.

Now as to your particular issue I'd say that this is more likely the following options:

1) Interface/Routing changes were made on the PA and this static ARP entry wasn't entered for some reason. This is the fault of the PA, but likely due to not knowing it needed the ARP entry.

2) If that isn't the case then this is a new setup or they changed the setup in some way. Fully the fault of the server/service admin for not knowing that a static ARP entry was going to be required.

That's really your only two options that should take place. If a service was working with a dynamic ARP entry and no change has taken place then you wouldn't have run into the issue.

Re: arp entry on virtual router

jdprovine — Wed, 08 Aug 2018 16:29:01 GMT

@BPry

Well I found out the new guy left some important vlans off a switch and that was the issue, I had asked him this stuff before but he assured me it was all correct on his side. So I guess added the arp and IP information to the the interface sorry not the virtual router fixed the issue. Our internatl communication between people is greatly lacking here and contributes to our issues. Thanks bpry great response

Re: arp entry on virtual router

jdprovine — Wed, 08 Aug 2018 16:30:17 GMT

@BPry

So by map do you give it a path to where it needs to go?

Re: arp entry on virtual router

BPry — Wed, 08 Aug 2018 16:31:22 GMT

@jdprovine

Internal Comms is something that we've been trying to work on here, but we're pretty siloed as far as who handles what aspects. Always fun when someone else causes issues 😉

Re: arp entry on virtual router

jdprovine — Wed, 08 Aug 2018 16:33:11 GMT

@BPry

On top of it try to be the fairer sex in the IT department, its always an up hill battle