02-19-2024 07:50 PM
Hello guys, can you help me with this problem?
We are looking for the following logical scenario, we have 2 Reverse Proxy (Imperva) devices connecting through a PAN Firewall as shown below. When checking for backup on Imperva. We tried the following:
- Turn off eth2 port on Master and traffic is transferred to Backup successfully. All operations are stable. The PAN firewall will relearn the VIP's MAC address, the MAC address is changed from MASTER ==> BACKUP
- Enable return port eth2 on Master, traffic cannot be transferred to Master. Because the PAN Firewall still holds the MAC address of the MASTER device. Only when we clear the cache on the PAN does it work properly again.
Do you have any suggestions for this problem?. Can you help me?
Thanks a lot
02-19-2024 07:57 PM
I'm experiencing a similar issue. If anyone has a solution, please kindly assist us.
02-21-2024 02:47 PM
Doesn't sound like the Imperva is sending a gratuitous ARP (GARP) when you fail traffic over like it should. When you have a device in any sort of HA you want it GARP'ing when it takes over responsibility for the IP if it's not going to utilize the same MAC address across peers.
The firewall is doing what it should here; if it has an ARP entry for an address already there's no reason to not use the cached entry, hence why GARP exists so that devices can announce that they now control an IP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
