Why doesn't Firewall PAN automatically change the MAC address of the Rever Proxy device?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why doesn't Firewall PAN automatically change the MAC address of the Rever Proxy device?

 

Hello guys, can you help me with this problem?

We are looking for the following logical scenario, we have 2 Reverse Proxy (Imperva) devices connecting through a PAN Firewall as shown below. When checking for backup on Imperva. We tried the following:

- Turn off eth2 port on Master and traffic is transferred to Backup successfully. All operations are stable. The PAN firewall will relearn the VIP's MAC address, the MAC address is changed from MASTER ==> BACKUP

- Enable return port eth2 on Master, traffic cannot be transferred to Master. Because the PAN Firewall still holds the MAC address of the MASTER device. Only when we clear the cache on the PAN does it work properly again.

Do you have any suggestions for this problem?. Can you help me?

Namppmtechpro_2410_1-1708400988356.png

 

Thanks a lot

 

 

3 REPLIES 3

L0 Member

I'm experiencing a similar issue. If anyone has a solution, please kindly assist us.

L0 Member

I'm experiencing a similar issue. If anyone has a solution, please kindly assist us.

Cyber Elite
Cyber Elite

@Namppmtechpro_2410,

Doesn't sound like the Imperva is sending a gratuitous ARP (GARP) when you fail traffic over like it should.  When you have a device in any sort of HA you want it GARP'ing when it takes over responsibility for the IP if it's not going to utilize the same MAC address across peers. 

The firewall is doing what it should here; if it has an ARP entry for an address already there's no reason to not use the cached entry, hence why GARP exists so that devices can announce that they now control an IP address. 

  • 887 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!