[c-nsp] HSRP & Sonicwall problem

RawCode gonnason at gmail.com
Tue May 2 10:43:31 EDT 2006 

On 5/2/06, Eric Helm <helmwork at ruraltel.net> wrote:
>
> Hello,
> I have the following setup:
> 2811-1
>       -- Cisco 2950 -- Sonicwall Firewall
> 2811-2
>
> The issue is that the Sonicwall stops communicating with the HSRP Active
> router. I have tried setting a static ARP entry for the VIP, however the
> communication will still cease. At this point, the static ARP entry must
> be deleted, then I have to initiate a ping from the Sonicwall to the VIP
> to get things going again.
> Here is the config snip from the HSRP interface in question:
>
> interface FastEthernet0/0
> description Uplink to Sonicwall
> ip address 192.168.0.4 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nbar protocol-discovery
> ip route-cache flow
> duplex full
> speed 100
> no mop enabled
> standby version 2
> standby 10 ip 192.168.0.2
> standby 10 timers msec 500 msec 1500
> standby 10 preempt
> standby 10 authentication ntw-admi
> standby 10 track FastEthernet0/1
>
> Is there anything from this config that could be tweaked, or any
> suggestions for the Sonicwall to fix this issue?
>
> FYI, I have a similar setup in another location, exact HSRP config on
> the 2811, but using a Pix firewall in place of the Sonicwall. This setup
> works flawlessly.
>
> Thanks,
> Eric
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

I am not an expert at HSRP, but I thought it used proxy arp to update the
hosts with  the new mac addess.

"standby ip" syntax
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d2d21.html#wp1049563

" When the *standby ip* command is enabled on an interface, the handling of
proxy ARP requests is changed (unless proxy ARP was disabled). If the Hot
Standby state of the interface is active, proxy ARP requests are answered
using the MAC address of the Hot Standby group. If the interface is in a
different state, proxy ARP responses are suppressed."

More information about the cisco-nsp mailing list