Server cluster generates UnsolicitedARPReplies in log (Gratuitous/GARP)

Last modified on 19 Feb, 2021. Revision 9
Server cluster generates UnsolicitedARPReplies in log (Gratuitous/GARP)
Up to date for
12.00.xx / 13.00.xx
Supported since
8
Status OK


This article applies to:Clavister Security Gateway 8.x, 9.x and 10.x

Note changes as of 8.30.01 for Linux Heartbeat clusters and Microsoft Cluster Server

Note changes as of 8.50.02 for Microsoft Network Load Balancing


Background

Some high-availability server clusters work by sharing an IP address, where only one server “owns” this address at a time. If the server currently owning the IP address goes down, the backup server will start serving requests on that IP address.

A basic problem here is getting surrounding network equipment (routers, Security Gateways) to understand that the IP address should be routed a new hardware address. This is often done through gratitious ARP responses, whereby the new server sends responses to all hosts that need to know about the change, even though these units have not sent ARP queries.

The problem

Clavister Secturity Gateway will not listen to ARP responses that it has not sent out queries for. This is to make “ARP spoofing” (IP address spoofing on the local network through bogus ARPs) harder.


This means that the ARP cache of the Security Gateway will not be updated by the gratuitous ARPs sent by the new server. Rather, it will take up to 15 minutes (using default settings) for the Security Gateway to start routing traffic to the new server.

You will likely also see entries like these in your logs (syslog example):

Jun 6 11:38:13 mygw EFW: ARP: rule=UnsolicitedARPReplies 
action=drop reason=already_exists recvif=int 
hwsender=0090:0b02:5c70 hwdest=0001:020d:fb16 arp=reply 
srcenet=0090:0b02:5c70 srcip=192.168.16.136 
destenet=0001:020d:fb16 destip=192.168.16.1


The solution

Clavister Secturity Gateway can be made to accept gratuitous ARPs by turning off the extra checks and making it fully compliant with the ARP specification: RFC 826.

Make the following modifications to Advanced Settings -> ARP:
Note: In newer cOS Core versions (10+) the ARP settings can be found under Network->ARP->Advanced Settings.

Note that Clavister Security Gateway before 8.30.01 only listens to ARP packets destined to the Security Gateway itself. This presents a problem for the Linux Heartbeat cluster system and MS Cluster Server, which does not send targeted ARP queries when it attempts to update the ARP caches of nearby units.

As of v8.30.01, the Security Gateway will listen to any ARP queries if ARPRequests is set to Accept, and any ARP responses if UnsolicitedARPReplies is set to Accept or AcceptLog.

Note that Clavister Security Gateway before 8.50.02 always sent ARP responses to the MAC address found in the ethernet header of the query. Microsoft NLB apparently does rely on the response to be sent to the source MAC address in the ARP data.

As of v8.50.02 the core sends ARP responses to the source MAC address in the ARP data.

Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Moving configurations between dissimilar NetWall hardware
1 Feb, 2023 core wizard hardware migration netwall
cOS Core 14.00 FAQ
10 Jan, 2023 arm x86 core
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
CSPN (Clavister Service Provisioning Network) details for license & database updates
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
How to configure and use Stateless IP Policies
9 Dec, 2022 core stateless connections
Unencrypted LDAP authentication problem towards Microsoft AD
31 Jan, 2023 ldap core authentication radius
Using PCAP packet capture in cOS Core
7 Sep, 2022 core cli pcap netwall pcapdump
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
A trusted webpage blocked by IP reputation
22 Jan, 2021 core ipreputation
Could not open outbound connection?
9 Mar, 2021 core ping connections
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
Using /31 network masks in cOS Core (RFC-3021)
1 Jun, 2022 core routing management
Device initiated InControl management of NetWall HA clusters with a single public IP
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
How to configure a Captive Portal in cOS Core
25 May, 2022 howto core authenticator authentication webauth captive
Using Multicast DNS with cOS Core
24 May, 2021 core howto mdns multicast transparentmode airprint igmp dns
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Partial split tunneling when using Windows L2TP/IPsec
27 Jan, 2023 ipsec core windows vpn l2tp
The TCP Window Scale Log Event
15 Nov, 2022 tcp log core
Clavister SFP/SFP+ module compatibility
11 Apr, 2021 core sfp gbic hardware
Changing the certificate used by the OneConnect client/server
28 Nov, 2022 core configuration oneconnect
Details about the WebUI memory log (memlog)
20 Jan, 2023 core log webui memlog
Changing the certificate used by cOS Core's SSL VPN client/server
25 Nov, 2022 core configuration sslvpn management
Automatically stop active PCAPdump or Logsnoop in the CLI
7 Dec, 2022 pcapdump log cli core logsnoop
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
Why some log category ID's are missing
23 May, 2022 core log logreceiver
NetWall virtual firewall creation under KVM on ARM
20 May, 2021 kvm core arm coscore netwall
Application Control with Peer to Peer applications
1 Dec, 2022 applicationcontrol core
Allowing Traceroute to and through cOS Core
23 Aug, 2022 core behaviour icmp ping traceroute
QoS / Traffic Shaping: DiffServ tagging
3 Feb, 2023 core trafficshaping pipes tcp
The meaning of the Default_Access_Rule log entry
7 Nov, 2022 core arp log routing
How to setup a simple cloud-init environment for testing
30 Nov, 2020 howto core cloud-init dhcp
Protecting against the Apache Log4j exploit
15 Dec, 2021 core idp ipreputation log4j
What is a "zombie" connection?
24 Mar, 2021 core connections
Managing NetWall HA clusters over the Internet using one public IP
21 Jun, 2022 core ha hacluster netwall coscore slb
Assigning additional IPs to cOS Core Ethernet interfaces
7 May, 2021 core ethernet vlan arp garp
Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core
Allowing Path MTU discovery in cOS Core
10 Oct, 2022 core mtu netwall mtudiscovery
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Is Statless (FwdFast) faster than a normal IP policy?
27 Jan, 2021 core stateless routing brokenlink
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core
Radius vs LDAP for authentication
21 Nov, 2022 radius ldap authentication core



Tagscorearp