Server cluster generates UnsolicitedARPReplies in log (Gratuitous/GARP)

Last modified on 19 Feb, 2021. Revision 9
Server cluster generates UnsolicitedARPReplies in log (Gratuitous/GARP)
Up to date for
12.00.xx / 13.00.xx
Supported since
Status OK

This article applies to:Clavister Security Gateway 8.x, 9.x and 10.x

Note changes as of 8.30.01 for Linux Heartbeat clusters and Microsoft Cluster Server

Note changes as of 8.50.02 for Microsoft Network Load Balancing


Some high-availability server clusters work by sharing an IP address, where only one server “owns” this address at a time. If the server currently owning the IP address goes down, the backup server will start serving requests on that IP address.

A basic problem here is getting surrounding network equipment (routers, Security Gateways) to understand that the IP address should be routed a new hardware address. This is often done through gratitious ARP responses, whereby the new server sends responses to all hosts that need to know about the change, even though these units have not sent ARP queries.

The problem

Clavister Secturity Gateway will not listen to ARP responses that it has not sent out queries for. This is to make “ARP spoofing” (IP address spoofing on the local network through bogus ARPs) harder.

This means that the ARP cache of the Security Gateway will not be updated by the gratuitous ARPs sent by the new server. Rather, it will take up to 15 minutes (using default settings) for the Security Gateway to start routing traffic to the new server.

You will likely also see entries like these in your logs (syslog example):

Jun 6 11:38:13 mygw EFW: ARP: rule=UnsolicitedARPReplies 
action=drop reason=already_exists recvif=int 
hwsender=0090:0b02:5c70 hwdest=0001:020d:fb16 arp=reply 
srcenet=0090:0b02:5c70 srcip= 
destenet=0001:020d:fb16 destip=

The solution

Clavister Secturity Gateway can be made to accept gratuitous ARPs by turning off the extra checks and making it fully compliant with the ARP specification: RFC 826.

Make the following modifications to Advanced Settings -> ARP:
Note: In newer cOS Core versions (10+) the ARP settings can be found under Network->ARP->Advanced Settings.

Note that Clavister Security Gateway before 8.30.01 only listens to ARP packets destined to the Security Gateway itself. This presents a problem for the Linux Heartbeat cluster system and MS Cluster Server, which does not send targeted ARP queries when it attempts to update the ARP caches of nearby units.

As of v8.30.01, the Security Gateway will listen to any ARP queries if ARPRequests is set to Accept, and any ARP responses if UnsolicitedARPReplies is set to Accept or AcceptLog.

Note that Clavister Security Gateway before 8.50.02 always sent ARP responses to the MAC address found in the ethernet header of the query. Microsoft NLB apparently does rely on the response to be sent to the source MAC address in the ARP data.

As of v8.50.02 the core sends ARP responses to the source MAC address in the ARP data.

Related articles

cOS Core 14.00 FAQ
27 Apr, 2022 arm x86 core
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Using PCAP packet capture in cOS Core
7 Sep, 2022 core cli pcap netwall pcapdump
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
A trusted webpage blocked by IP reputation
22 Jan, 2021 core ipreputation
Could not open outbound connection?
9 Mar, 2021 core ping connections
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
Using /31 network masks in cOS Core (RFC-3021)
1 Jun, 2022 core routing management
Device initiated InControl management of NetWall HA clusters with a single public IP
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
How to configure a Captive Portal in cOS Core
25 May, 2022 howto core authenticator authentication webauth captive
Using Multicast DNS with cOS Core
24 May, 2021 core howto mdns multicast transparentmode airprint igmp dns
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Clavister SFP/SFP+ module compatibility
11 Apr, 2021 core sfp gbic hardware
Using Stateless Policies in cOS Core
16 Jun, 2021 core stateless rules netwall
Why some log category ID's are missing
23 May, 2022 core log logreceiver
NetWall virtual firewall creation under KVM on ARM
20 May, 2021 kvm core arm coscore netwall
Allowing Traceroute to and through cOS Core
23 Aug, 2022 core behaviour icmp ping traceroute
The meaning of the "Default_Access_Rule" log entry
25 Jan, 2021 brokenlink core arp log routing
How to setup a simple cloud-init environment for testing
30 Nov, 2020 howto core cloud-init dhcp
Protecting against the Apache Log4j exploit
15 Dec, 2021 core idp ipreputation log4j
What is a "zombie" connection?
24 Mar, 2021 core connections
Managing NetWall HA clusters over the Internet using one public IP
21 Jun, 2022 core ha hacluster netwall coscore slb
Assigning additional IPs to cOS Core Ethernet interfaces
7 May, 2021 core ethernet vlan arp garp
Allowing Path MTU discovery in cOS Core
9 Jul, 2021 core mtu netwall mtudiscovery
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Is Statless (FwdFast) faster than a normal IP policy?
27 Jan, 2021 core stateless routing brokenlink
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core