Forum Discussion
pratya_52230
Nimbostratus
NimbostratusLTM/LC: ARP not update, after failover firewall
I have bigIP(LTM/LC) in front of checkpoint HA firewall(active/standby)
I did try pinging from my PC located in internal network through checkpoint+F5 to external router.
It seems fine at th...
Joel_MosesNimbostratus
NimbostratusI suspect that auto last hop is coming into conflict with your failover here. I'm assuming you're using Checkpoint's clustering/failover solution (ClusterXL) -- it will gratARP to the subnet on failover to get the traffic flowing to the correct interface, but if the F5 has auto last hop on, existing sessions will not follow the new MAC. That's why you can ping from another workstation that didn't previously have a session, but you can't for the system that had a running session when the failover occurred. This differs from some failover protocols that use Multicast MAC (VRRP or HSRP, for example) which use the same VMAC for the virtual IP.
The solution here will probably be to set a static routing table and turn off auto last hop on this LTM; make sure before you do you fully explore the implications it'll have to your network design.