Jump to content
Welcome to our new Citrix community!

ADC does not honor Gratuitous ARP of other systems


Recommended Posts

Hi, 
we have detected that a mac-address change for the ipv4-address of the default-gateway is not honored by the ADC 12.1 (at least seen for default partition).
This is happening when there is a ha-failover of our firewall cluster.

The default gateway sends out GARP (Gratuitous ARP) packets when its mac address gets changed, but the ADC does not immediately refresh its arp table.
So the ADC is no longer reachable till its arp cache entry for the old default-gateway mac-address ages out (= worst case 1200sec).
 

I have seen that we can modify the ARP timeout on each ADC by using the command: set arpparam -timeout <seconds>
Reducing the ARP-timeout shortens the impact, but I would say it is not completely avoiding a problem.

I do not understand what the parameter "-spoofValidation ( ENABLED | DISABLED )" means. Is there any detailed documentation for this? (I have not found any)

## Default-Settings are:

> sh arpparam
        ARP Parameters   

        Aging time for ARP table entry : 1200
        Arp spoof prevention : DISABLED
 Done
>
Can anybody explain what <Arp spoof prevention/validation> mean?

 

PS: Maybe we can force our firewall to always use the same mac address for both ha-members. We will also investigate in this direction.


What adc-configuration should I implement to avoid such an adc-outage?

Regards,

Chris

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...