Server cluster generates UnsolicitedARPReplies in log (Gratuitous/GARP)

Last modified on 19 Feb, 2021. Revision 9
Server cluster generates UnsolicitedARPReplies in log (Gratuitous/GARP)
Up to date for
12.00.xx / 13.00.xx
Supported since
8
Status OK


This article applies to:Clavister Security Gateway 8.x, 9.x and 10.x

Note changes as of 8.30.01 for Linux Heartbeat clusters and Microsoft Cluster Server

Note changes as of 8.50.02 for Microsoft Network Load Balancing


Background

Some high-availability server clusters work by sharing an IP address, where only one server “owns” this address at a time. If the server currently owning the IP address goes down, the backup server will start serving requests on that IP address.

A basic problem here is getting surrounding network equipment (routers, Security Gateways) to understand that the IP address should be routed a new hardware address. This is often done through gratitious ARP responses, whereby the new server sends responses to all hosts that need to know about the change, even though these units have not sent ARP queries.

The problem

Clavister Secturity Gateway will not listen to ARP responses that it has not sent out queries for. This is to make “ARP spoofing” (IP address spoofing on the local network through bogus ARPs) harder.


This means that the ARP cache of the Security Gateway will not be updated by the gratuitous ARPs sent by the new server. Rather, it will take up to 15 minutes (using default settings) for the Security Gateway to start routing traffic to the new server.

You will likely also see entries like these in your logs (syslog example):

Jun 6 11:38:13 mygw EFW: ARP: rule=UnsolicitedARPReplies 
action=drop reason=already_exists recvif=int 
hwsender=0090:0b02:5c70 hwdest=0001:020d:fb16 arp=reply 
srcenet=0090:0b02:5c70 srcip=192.168.16.136 
destenet=0001:020d:fb16 destip=192.168.16.1


The solution

Clavister Secturity Gateway can be made to accept gratuitous ARPs by turning off the extra checks and making it fully compliant with the ARP specification: RFC 826.

Make the following modifications to Advanced Settings -> ARP:
Note: In newer cOS Core versions (10+) the ARP settings can be found under Network->ARP->Advanced Settings.

  • UnsolicitedARPReplies: Accept or AcceptLog (default: DropLog)
    This is necessary if the server cluster transmits gratitious requests.
  • ARPRequests: Accept (default: Drop)
    This may be necessary if the server cluster transmits queries rather than requests.
  • ARPChanges: Accept or AcceptLog (default: AcceptLog)
    This is necessary, since the hardware address will change when failover occurs.
  • ARPMatchEnetSender: Ignore or Log (default: DropLog)
    Some server cluster implementations build somewhat ugly ARP packets, where the sender address in the MAC header does not match the address supplied in the ARP data. If that is the case, this setting cannot be Drop or DropLog.
  • ARPMulticast: Accept, Log, Drop or DropLog (default: DropLog)
    Some cluster implementations like Windows 2003 servers with IIS requires that this option be set to Accept or Log.

Note that Clavister Security Gateway before 8.30.01 only listens to ARP packets destined to the Security Gateway itself. This presents a problem for the Linux Heartbeat cluster system and MS Cluster Server, which does not send targeted ARP queries when it attempts to update the ARP caches of nearby units.

As of v8.30.01, the Security Gateway will listen to any ARP queries if ARPRequests is set to Accept, and any ARP responses if UnsolicitedARPReplies is set to Accept or AcceptLog.

Note that Clavister Security Gateway before 8.50.02 always sent ARP responses to the MAC address found in the ethernet header of the query. Microsoft NLB apparently does rely on the response to be sent to the source MAC address in the ARP data.

As of v8.50.02 the core sends ARP responses to the source MAC address in the ARP data.

Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Brian Smart Search (Beta)
15 Jan, 2024 dictionary troubleshoot core stream incontrol incenter oneconnect cloudservice
Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
cOS Core TLS ALG setup using IP Policies
4 Apr, 2023 core tls alg https
Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
Moving configurations between dissimilar NetWall hardware
1 Feb, 2023 core wizard hardware migration netwall
How to disable IP Reputation in cOS Core
21 Mar, 2023 core ipreputation log
cOS Core 14.00 FAQ
18 Jan, 2024 arm x86 core
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
cOS Core HA clusters in VMware with Promiscuous Mode
4 Apr, 2023 core vmware highavailability ha promiscuous
User Auth with Active Directory using cOS Core RADIUS/LDAP
24 Apr, 2023 core legacy activedirectory radius userauth
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
CSPN (Clavister Service Provisioning Network) details for license & database updates
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
Getting totals for triggering cOS Core IP rule set entries
16 Mar, 2023 core incontrol statistics rules
Closing existing sessions when cOS Core schedules trigger
2 May, 2023 core rules schedule applicationcontrol
Using Stateless IP Policies in cOS Core
4 Apr, 2023 core stateless connections
cOS Core LDAP auth issues with Microsoft AD servers
11 Apr, 2023 ldap core authentication radius
Using PCAP packet capture in cOS Core
7 Sep, 2022 core cli pcap netwall pcapdump
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Setting up OSPF with IPsec in cOS Core
21 Dec, 2023 core routing ospf ipsec
A trusted webpage blocked by IP reputation
7 Sep, 2023 core ipreputation
Could not open outbound connection?
9 Mar, 2021 core ping connections
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Troubleshoot firewall MTU issues using Wireshark
4 Apr, 2023 core pcap pcapdump wireshark
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
Using /31 network masks in cOS Core (RFC-3021)
1 Jun, 2022 core routing management
Device initiated InControl management of NetWall HA clusters with a single public IP
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
Configuring a Captive Portal in cOS Core
12 Apr, 2023 howto core authenticator authentication webauth captive
Using Multicast DNS with cOS Core
24 May, 2021 core howto mdns multicast transparentmode airprint igmp dns
cOS Core IPsec IKEv1 "No_Proposal_Chosen" error in 14.00.10
4 Aug, 2023 core ipsec troubleshoot ike
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Automation of Lets Encrypt certificate updates
23 Jan, 2024 core howto certificate management letsencrypt
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
The TCP Window Scale Log Event
15 Nov, 2022 tcp log core
Howto - Userbased rules
27 Feb, 2024 oneconnect userbased core
Clavister SFP/SFP+ module compatibility
7 Feb, 2024 core sfp gbic hardware
Changing the certificate used by the OneConnect client/server
28 Nov, 2022 core configuration oneconnect
Avoiding cOS Core HA interruptions during configuration deployment
20 Feb, 2023 ha core idp cli cluster antivirus configuration
Changing the certificate used by cOS Core's SSL VPN client/server
25 Nov, 2022 core configuration sslvpn management
Automatically stop active PCAPdump or Logsnoop in the CLI
7 Dec, 2022 pcapdump log cli core logsnoop
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
Why some log category ID's are missing
23 May, 2022 core log logreceiver
Group membership in FreeRADIUS with cOS Core
6 Apr, 2023 core radius authentication
NetWall virtual firewall creation under KVM on ARM
20 May, 2021 kvm core arm coscore netwall
Allowing Traceroute to and through cOS Core
23 Aug, 2022 core behaviour icmp ping traceroute
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
QoS / Traffic Shaping: Will cOS Core alter DiffServ tagging?
6 Feb, 2023 core trafficshaping pipes tcp
The meaning of the Default_Access_Rule log entry
7 Nov, 2022 core arp log routing
Transparent mode & L2TPv3 unavailable in cOS Core HA clusters
17 Feb, 2023 core ha cluster transparentmode l2tpv3
How to setup a simple cloud-init environment for testing
30 Nov, 2020 howto core cloud-init dhcp
Protecting against the Apache Log4j exploit
15 Dec, 2021 core idp ipreputation log4j
What is a "zombie" connection?
24 Mar, 2021 core connections
Managing NetWall HA clusters over the Internet using one public IP
21 Jun, 2022 core ha hacluster netwall coscore slb
Assigning additional IPs to cOS Core Ethernet interfaces
7 May, 2021 core ethernet vlan arp garp
Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core
Troubleshooting cOS Core rules/routes with ping simulation
17 Mar, 2023 core routing rules ping icmp cli
Allowing Path MTU discovery in cOS Core
10 Oct, 2022 core mtu netwall mtudiscovery
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Is Statless (FwdFast) faster than a normal IP policy?
27 Jan, 2021 core stateless routing brokenlink
cOS Core High Availability Cluster troubleshooting
23 Feb, 2023 core troubleshoot cluster ha
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover
Public network transparency using cOS Core Proxy ARP instead of subnetting
18 Apr, 2023 core routing transparentmode proxyarp
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core
Radius vs LDAP for authentication
21 Nov, 2022 radius ldap authentication core



Tagscorearp