Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Why doesn't failover work properly with my Cisco hardware?

SOLVED
Go to solution
riverbedjo
Contributor
‎09-22-2011 08:49:AM
‎09-22-2011 08:49:AM

Why doesn't failover work properly with my Cisco hardware?

When a Stingray fails (or I take it down for maintenance), the traffic IP address is correctly transferred to a different Stingray, but it does not receive any traffic.  Why is this?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
owen
Frequent Contributor
‎10-03-2011 08:16:AM
‎10-03-2011 08:16:AM

Re: Why doesn't failover work properly with my Cisco hardware?

When Stingray rises a Traffic IP Address, it broadcasts a number of ARP replies to inform the attached Layer 2 network that it should update its ARP cache. This is to ensure that Ethernet frames directed to the Traffic IP Address in question are sent to the correct hardware interface (on the Stingray) via the correct LAN circuit.

By default, Stingray will send 10 of these ARP broadcasts. In some scenarios, we find that Cisco hardware will ignore ARP broadcasts for a short period of time. The result is that, after Stingray fails over, frames will be sent to the wrong LAN segment, ultimately causing connection timeouts to your Traffic IP Addresses. So far, we know that this affects the PIX 506E Firewall, but it may apply to other products as well.

To identify the problem, you can log into the Cisco device and use the 'show arp' command to view the ARP table. If you discover that a Traffic IP Address is associated with the wrong MAC address, you can use the 'clear arp' command to flush the table, which should correct the problem.

To prevent future occurrences, we have found that increasing the number of ARP broadcasts sent by Stingray from 10 to 100 works reliably. To make this change, please log into the admin interface and navigate to: System -> Global -> Traffic Manager Fault Tolerance ...and change the "flipper!arp_count" value from 10 to 100.

View solution in original post

0 Kudos
1 REPLY 1
owen
Frequent Contributor
‎10-03-2011 08:16:AM
‎10-03-2011 08:16:AM

Re: Why doesn't failover work properly with my Cisco hardware?

When Stingray rises a Traffic IP Address, it broadcasts a number of ARP replies to inform the attached Layer 2 network that it should update its ARP cache. This is to ensure that Ethernet frames directed to the Traffic IP Address in question are sent to the correct hardware interface (on the Stingray) via the correct LAN circuit.

By default, Stingray will send 10 of these ARP broadcasts. In some scenarios, we find that Cisco hardware will ignore ARP broadcasts for a short period of time. The result is that, after Stingray fails over, frames will be sent to the wrong LAN segment, ultimately causing connection timeouts to your Traffic IP Addresses. So far, we know that this affects the PIX 506E Firewall, but it may apply to other products as well.

To identify the problem, you can log into the Cisco device and use the 'show arp' command to view the ARP table. If you discover that a Traffic IP Address is associated with the wrong MAC address, you can use the 'clear arp' command to flush the table, which should correct the problem.

To prevent future occurrences, we have found that increasing the number of ARP broadcasts sent by Stingray from 10 to 100 works reliably. To make this change, please log into the admin interface and navigate to: System -> Global -> Traffic Manager Fault Tolerance ...and change the "flipper!arp_count" value from 10 to 100.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.