[c-nsp] HSRP & Sonicwall problem

Eric Helm helmwork at ruraltel.net
Wed May 3 22:06:56 EDT 2006 

Matt Buford wrote:
> "RawCode" <gonnason at gmail.com> wrote:
>> I am not an expert at HSRP, but I thought it used proxy arp to update the
>> hosts with  the new mac addess.
>>
>> "standby ip" syntax
>> http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d2d21.html#wp1049563
>>
>>
>> " When the *standby ip* command is enabled on an interface, the
>> handling of
>> proxy ARP requests is changed (unless proxy ARP was disabled). If the Hot
>> Standby state of the interface is active, proxy ARP requests are answered
>> using the MAC address of the Hot Standby group. If the interface is in a
>> different state, proxy ARP responses are suppressed."
> 
> HSRP creates a virtual mac address that does not change during
> failovers, so there is no need to update hosts during failovers.  What
> you pasted is how HSRP changes proxy arp behavior.  For any IPs that are
> to be proxy arped, it will respond with the redundant virtual mac
> instead of the non-redunant physical interface MAC.  As far as I know,
> proxy arp is not related to this issue in any way.  Also note proxy arp
> is disabled on his config snippit.
> 
> While I don't know what is causing this issue, I can say that I have
> several hundred Sonicwalls speaking to HSRP default gateways on 6509
> switches.  I have recently converted much of this from HSRP to GLBP and
> had no issue either way.
> 
> The snippit says "standby 10 ip 192.168.0.2".  Just to confirm, the
> Sonicwall has an IP within 192.168.0.0/24 and a default gateway of
> 192.168.0.2, correct?  I have had strange problems when attempting to
> put multiple servers in multiple subnets behind the same sonicwall.  The
> sonicwall doesn't seem to like servers behind it using a default gateway
> outside the sonicwall's own subnet (or something like that).

The Sonicwall IP and default route in the 2811 is 192.168.0.1/24

> 
> Newer sonicwalls let you see the arp table (wow fancy).  During the
> broken time, I wonder if there is no ARP for the gateway or if there is
> a wrong arp for the gateway.  If your sonicwall supports displaying the
> ARP table, this would be worth checking.

It does appear in the ARP table when the traffic stops passing.
Additionally, I have tried adding a static arp entry (even fancier) to
the sonicwall that points the Virtual MAC address to the Virtual IP, and
it still quits passing traffic, usually after 3-4 hours.
Another odd thing is, that I totally powered down the standby router,
just to be sure there wasn't some odd HSRP issue here, and it still breaks.

/Eric

More information about the cisco-nsp mailing list