Why doesn't failover work properly with my Cisco hardware?

When ZXTM raises a Traffic IP Address, it broadcasts a number of ARP replies to inform the attached Layer 2 network that it should update its ARP cache. This is to ensure that Ethernet frames associated with the Traffic IP Address in question are sent to the correct hardware interface via the correct LAN circuit.

By default, ZXTM will send 10 of these ARP broadcasts. In some scenarios, we find that Cisco hardware will ignore ARP broadcasts for a short period of time. The result is that, after ZXTM fails over, frames will be sent to the wrong LAN segment, ultimately causing connection timeouts to your Traffic IP Addresses.

So far, we know that this affects the PIX 506E Firewall, but it may apply to other products as well.

To identify the problem, you can log into the Cisco device and use the 'show arp' command to view the ARP table. If you discover that a Traffic IP Address is associated with the wrong MAC address, you can use the 'clear arp' command to flush the table, which should correct the problem.

To prevent future occurrences, we have found that increasing the number of ARP broadcasts sent by the ZXTM from 10 to 100 works reliably. To make this change, please log into the admin interface and navigate to:

System -> Global -> Traffic Manager Fault Tolerance

...and change the "flipper!arp_count:" value from 10 to 100.

If you have encountered this problem, please raise a support ticket by sending an email to support@zeus.com, including your customer ID number in the Subject: header, and the make/model of the network hardware with which you had the problem in the body.

agosse [Zeus Systems Engineering] 02 February 2007