Dejan, On Wed, Dec 3, 2008 at 7:37 PM, Dejan Muhamedagic <[EMAIL PROTECTED]>wrote:
> Hi, > > On Wed, Dec 03, 2008 at 07:42:50AM +0400, Rodney McKee wrote: > > Hello, > > > > I have been trying to fail over 9 addresses between 2 firewalls using the > > following send_arp syntax: > > > > send_arp <ext_interface> xxx.xxx.29.185 <ext_mac_addr> xxx.xxx.27.249 > > ffffffffffff > > and > > send_arp <ext_interface> xxx.xxx.29.185 <ext_mac_addr> xxx.xxx.29.191 > > ffffffffffff > > > > with no success. > > > > The networks we have are xxx.xxx.27.248/29 and xxx.xxx.29.184/29 > > The default gateway is xxx.xxx.27.249 > > > > I had no issues with the fail-over of the xxx.xxx.27.248/29 addresses but > > could not get the xxx.xxx.29.184/29 addresses to fail over at all. The > > traffic for xxx.xxx.29.184/29 was still appearing appearing on the > original > > firewall even when the IP had been removed. > > > > I did have the provider flush their arp cache but weather they did it in > the > > right place, your guess is as good as mine. > > The router which is next to your hosts should handle this. It > could also be a problem with a switch, if you have one in > between. It depends on the make I guess, sometimes perhaps on the > firmware release. Now and again a discussion about this used to > take place on this list, but it has been a long time since the > last one. Maybe you can check the archives. > I have no visibility of the upstream network although now I think I'll be pushing to find out more. A new addition to our network are 2 Cisco 2960 8TC switches to sit outside our firewalls allowing us to run bonded interfaces (active-passive) inside and out. When I did the cut over it tried it with and without this switch with no success. To muddy the water a bit, on the first attempt to cut over 1 address, xxx.xxx.29.186 did fail over from that subnet, seemed a bit freaky to me. The provider also advised that they did flush the arp cache again but to no avail. A tcpdump in both cases still showed traffic on the external interface of the original firewall. The fact that the IP failed over in the first attempt makes me feel that the command syntax is correct, was not sure if I should point the "broadcast" part at the gateway or one of the broadcast addresses (either one?). I'll see if I can search the archive for some answers also. > > Am I doing something wrong and if so what? > > Or is it an issue with the network providers network and what might it > be? > > Thanks, > > Dejan > > > Thanks in advance. > > > > -- > > Rgds > > Rodney McKee > > _______________________________________________ > > Linux-HA mailing list > > [email protected] > > http://lists.linux-ha.org/mailman/listinfo/linux-ha > > See also: http://linux-ha.org/ReportingProblems > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems > -- Rgds Rodney McKee _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
