Configuring the EdgeSWG so only the interface on which an IP is configured responds to ARP requests for that IP address
search cancel

Configuring the EdgeSWG so only the interface on which an IP is configured responds to ARP requests for that IP address

book

Article ID: 165606

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The EdgeSWG is responding to ARP requests on interfaces that don't have the IP address bound.
This is causing problems with load balancers to not work correctly.
Is there a way to disable this feature?

 

Resolution

By default, the EdgeSWG will answer to ARP requests received on any interface as long as there is an IP address configured on the proxy that matches the request. For example assume the EdgeSWG has 2 interfaces configured:

Interface "0" is configured with 10.1.1.1
Interface "1" is configured with 192.168.1.1

If an ARP request for 10.1.1.1 is received on interface "1", even if the IP is for another interface, the EdgeSWG will answer the ARP request. This behavior might cause problems with some load-balancers.

The EdgeSWG has a command to change this default behavior.  To change this setting, connect to CLI (SSH or serial/vm console) of the EdgeSWG and run the following commands

EdgeSWG>enable
Enable Password:
EdgeSWG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
EdgeSWG#(config)tcp-ip arp-strict-matching enable
EdgeSWG#(config)exit
EdgeSWG#show tcp-ip
RFC-1323 support:             enabled
  IP forwarding:                disabled
  ICMP bcast echo response:     disabled
  ICMP timestamp echo response: disabled
  ICMP drop redirects:          disabled
  Path MTU Discovery:           disabled
  TCP silly-window avoidance:   enabled
  Routing algorithm:            weighted-round-robin
  TCP 2MSL timeout:             120 seconds
  TCP window size:              1048575 bytes
  TCP Congestion Algorithm:     newreno
  TCP ECN:                      disabled
  Bypass connection keep-alive: disabled
  Fast TCP FIN_WAIT_2 recycle:  disabled
  TCP TSO:                      disabled
  ARP strict matching:          enabled 
EdgeSWG# (config) exit
EdgeSWG# 

With this option enabled, an interface will only response to ARP request for its own IP address.

To revert back to default behavior:

EdgeSWG#(config)tcp-ip arp-strict-matching disable

Powered by Wolken Software