[Openswan Users] ARP cache
Norman Rasmussen
norman at rasmussen.co.za
Fri Dec 2 13:12:07 CET 2005
`ip neigh flush all`
On 12/2/05, Lionel Cottin <cottin at free.fr> wrote:
> Dear OpenSwan gurus,
>
> I'm running OpenSwan (kernel 2.4.32 KLIPS + OpenSwan 2.4.4) HA clusters
> using heartbeat. These clusters are connected "behind" Checkpoint HA
> clusters and now here's my problem (i.e. the OpenSwan's default gateway
> is the checkpoint cluster's IP):
>
> When a Checkpoint node dies, Checkpoint failover occurs and the passive
> node becomes active; that's fine.
> On the OpenSwan side, the active node remains active but all IPSEC
> connections are turned into "hold" state and IPSEC connectivity does not
> recover unless I shut IPSEC down and restart it.
> My feeling is that OpenSwan is still sending IPSEC frames using the dead
> checkpoint node's MAC address. However it's still possible to connect
> the OpenSwan node over SSH for example so it looks like there's some
> "ARP caching" performed on the ipsec0 interface not being updated when
> the default gateway's MAC address is replaced on the underlying physical
> interface (eth0).
>
> Is that a known behaviour ? Should I had some additional failover
> criteria in my heartbeat Cluster ? Is there a way to force OpenSwan
> re-calculating the destination MAC address to use within IPSEC frames ?
>
> regards,
> Lionel
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the Users
mailing list