[c-nsp] HSRP & Sonicwall problem

Scott Granados sgranados at jeteye.com
Wed May 3 17:40:43 EDT 2006 

Also note that sonicwall gear, especially the pro 5060 has broken arp in
general.  I've had many interoperability problems with 5060's and Cisco
including 26xx's 17xx's and 65xx's.

The fix for us was to update to their latest firmware and it's helped
(sonicwall firmware upgrade).

On the pro 5060 I'd suggest sonicos enhanced 3.1.0.14-49E


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matt Buford
Sent: Wednesday, May 03, 2006 1:22 PM
To: RawCode; Eric Helm
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] HSRP & Sonicwall problem

"RawCode" <gonnason at gmail.com> wrote:
> I am not an expert at HSRP, but I thought it used proxy arp to update
the
> hosts with  the new mac addess.
>
> "standby ip" syntax
>
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_
guide09186a00801d2d21.html#wp1049563
>
> " When the *standby ip* command is enabled on an interface, the
handling 
> of
> proxy ARP requests is changed (unless proxy ARP was disabled). If the
Hot
> Standby state of the interface is active, proxy ARP requests are
answered
> using the MAC address of the Hot Standby group. If the interface is in
a
> different state, proxy ARP responses are suppressed."

HSRP creates a virtual mac address that does not change during
failovers, so 
there is no need to update hosts during failovers.  What you pasted is
how 
HSRP changes proxy arp behavior.  For any IPs that are to be proxy
arped, it 
will respond with the redundant virtual mac instead of the non-redunant 
physical interface MAC.  As far as I know, proxy arp is not related to
this 
issue in any way.  Also note proxy arp is disabled on his config
snippit.

While I don't know what is causing this issue, I can say that I have
several 
hundred Sonicwalls speaking to HSRP default gateways on 6509 switches.
I 
have recently converted much of this from HSRP to GLBP and had no issue 
either way.

The snippit says "standby 10 ip 192.168.0.2".  Just to confirm, the 
Sonicwall has an IP within 192.168.0.0/24 and a default gateway of 
192.168.0.2, correct?  I have had strange problems when attempting to
put 
multiple servers in multiple subnets behind the same sonicwall.  The 
sonicwall doesn't seem to like servers behind it using a default gateway

outside the sonicwall's own subnet (or something like that).

Newer sonicwalls let you see the arp table (wow fancy).  During the
broken 
time, I wonder if there is no ARP for the gateway or if there is a wrong
arp 
for the gateway.  If your sonicwall supports displaying the ARP table,
this 
would be worth checking. 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list