12-13-2011 03:24 PM
We are using a cluster of two websense proxy devices connected to a SRX 650. The websense devices use a Virtual IP. When one fails, the other one picks up that IP. When we fail over from one web proxy device to the other, the traffic will fail until we clear the arp entry on the SRX for that VIP. Is there an equivelant command in Junos that we can run that will do the same thing as "set arp always-on-dest" which will continuously arp out for the VIP? We want the SRX to quickly see that there is a new MAC address for that VIP and then communicate using that new MAC.
Hope my description was clear enough. Thanks in advance.
12-14-2011 10:02 AM
This is probably not helpful, but shouldn't this be handled by the Websense machines? Usually, when you fail over, you should send out gratitious arp so that all other network equipment will see that your Mac has changed. Maybe Websense has something like that and it isn't enabled?
12-14-2011 12:31 PM
It is sending out the gratuitous arp but the firewall is not picking it up for some reason. There is a L2 Cisco switch in between the the websense servers and the firewall.
12-14-2011 01:05 PM
Well then I would look at the switch. It should learn the new Mac address through the gratitious arp and propagate it I guess. But I am not a layer 2 expert. My educated guess is you need to look at the switch and Websense, not the SRX.
12-14-2011 07:15 PM
My understanding is that by default ARP cache updates based on gratuitous ARP replies is disabled. You can enable it per interface with the command "gratuitous-arp-reply".