Gratuitous ARP problem with OpenBSD and MS Cluster Services

Fri, 28 Jul 2006 14:28:11 -0700 

Hello,
I have a pair of OpenBSD 3.9 firewalls (using pf and carp) attached to a network with a Windows server cluster on it. The Windows cluster moves a shared IP address between nodes using the MAC address of the actual cluster node, not a common virtual MAC address like pf uses. When it does this, it sends out gratuitous ARP requests to indicate that the cluster IP is now associated with a different MAC address. Unfortunately, OpenBSD seems to be ignoring these requests; when a cluster address moves to a different node, the ARP table on the firewall still holds the entry for the previous node, so packets routed through the firewall, which are currently all of them, go to the wrong address and are ignored. 

An example, with a cluster address of 172.20.0.22:

# At first, there is no entry in the ARP table on the firewall:

-bash-3.00$ arp -an | grep 172.20.0.22
-bash-3.00$

# I ping it from a remote host:


13:22:58.704467 0:0:5e:0:1:5 ff:ff:ff:ff:ff:ff 0806 42: arp who-has  
172.20.0.22 tell 172.20.0.1
13:22:58.704612 0:14:4f:20:3f:4e 0:0:5e:0:1:5 0806 60: arp reply  
172.20.0.22 is-at 0:14:4f:20:3f:4e
13:22:58.704621 0:0:5e:0:1:5 0:14:4f:20:3f:4e 0800 98: 172.29.128.218  
> 172.20.0.22: icmp: echo request
13:22:58.704737 0:14:4f:20:3f:4e 0:0:5e:0:1:5 0800 98: 172.20.0.22 >  
172.29.128.218: icmp: echo reply



# and the expected ARP interaction happens, and the pings go through.  
Now there is an ARP entry:


-bash-3.00$ arp -an | grep 172.20.0.22
? (172.20.0.22) at 00:14:4f:20:3f:4e on carp4


# So I move the address to the other cluster node, and the new owner  
sends out gratuitous ARP packets:



13:23:11.606112 0:14:4f:20:4f:d8 ff:ff:ff:ff:ff:ff 0806 60: arp who- 
has 172.20.0.22 tell 172.20.0.22
13:23:11.932507 0:14:4f:20:4f:d8 ff:ff:ff:ff:ff:ff 0806 60: arp who- 
has 172.20.0.22 tell 172.20.0.22
13:23:12.932817 0:14:4f:20:4f:d8 ff:ff:ff:ff:ff:ff 0806 60: arp who- 
has 172.20.0.22 tell 172.20.0.22


# But the ARP table on my firewall still holds the old entry:

-bash-3.00$ arp -an | grep 172.20.0.22
? (172.20.0.22) at 00:14:4f:20:3f:4e on carp4
-bash-3.00$

# And pings still go, unanswered, to the old MAC address:


13:23:24.408370 0:0:5e:0:1:5 0:14:4f:20:3f:4e 0800 98: 172.29.128.218  
> 172.20.0.22: icmp: echo request
13:23:25.410006 0:0:5e:0:1:5 0:14:4f:20:3f:4e 0800 98: 172.29.128.218  
> 172.20.0.22: icmp: echo request
13:23:26.410600 0:0:5e:0:1:5 0:14:4f:20:3f:4e 0800 98: 172.29.128.218  
> 172.20.0.22: icmp: echo request



Any idea what's going on here? I don't think it's even possible to  
filter out non-IP packets with pf, and I'm certainly not trying. I am  
not using any bridge devices. ARP works in all other respects. I  
don't see any sysctl tunables for ARP, either. RFC 826 makes it clear  
that the ARP table should be updated in this case.


--
Clayton Wheeler
Windermere Technology
[EMAIL PROTECTED]























					Reply via email to