Tuesday, January 6, 2009

set arp nat-dst

Hey all,

happy new year to you all!

Some weeks ago i had a strange problem with a customer where he told me that Juniper firewall doesn't see a unix cluster failover.

I ofc was like, this can't be true, i have thousands of installations and noone ever complained!

The customer and me did some debuging (debug arp all, debug arp task) to see if this unix cluster sends out Gratuitous arps.

We saw that this was the case but that juniper firewall cluster didn't refresh the arp entry for this ip. (one ip and no virtual mac, so he needed to update this).

After some more debugs and working with Advanced JTAC we saw that the problem was related to the command "set arp nat-dst", this command make sure that the juniper firewall does proxy arp for policy based dst-nat. (see previous post).

if this command is in the config the juniper firewall will only refresh entry if he receives a G-arp response. (not to a g-arp request).

He must do it for both! if you remove command, he response to both.

This is a bug (and very hard one to find).