The ProxySG is responding to ARP requests on interfaces that don't have the IP address bound. This is causing problems with load balancers to not work correctly. Is there a way to disable this feature?
By default, the ProxySG will answer to ARP requests received on any interface as long as there is an IP address configured on the proxy that matches the request. For example assume the ProxySG has 2 interfaces configured:
Interface "0" is configured with 10.1.1.1 Interface "1" is configured with 192.168.1.1
If an ARP request for 10.1.1.1 is received on interface "1", even if the IP is for another interface, the ProxySG will answer the ARP request. This behavior might cause problems with some load-balancers.
The ProxySG has a hidden command to change this default behavior. To change this setting, please SSH or go to the serial console of the ProxySG and run the following commands
ProxySG>enable Enable Password: ProxySG#config t Enter configuration commands, one per line. End with CTRL-Z. ProxySG#(config)tcp-ip arp-strict-matching enable ProxySG#(config)show arp-strict-matching ARP response on matching interface only: enabled ProxySG# (config) exit ProxySG#
With this option enabled, an interface will only response to ARP request for its own IP address.
This command was added in SGOS 188.8.131.52 and SGOS 184.108.40.206
This configuration is kept in the registry and retained through restart. However, since it is a hidden command, it will not appear in the Sysinfo and it will not be part of the archived configuration. In the event where the configuration is copied over to another ProxySG, the command to change the ARP response behavior will have to be manually entered.
Imported Document ID: 000008731
Subscribing will provide email updates when this Article is updated. Login is required.