Hi,
We had install a cluster of controllers 7210 in version 8.7.1.3. The controllers are used for wireless access and UBT with Aruba-CX Switchs
Customer have a cluster of Forcepoint Firewall with "Packet dispatch" feature.
We recently notice that when the firewall loses their ARP table (in case of failover for example), they lose connectivity to all clients behind the controllers (UBT or Wireless).
When we reproduce the issue, we see the ARP requests work perfectly from the client to the VIP of firewall (.15). We see the request and the response.
On his side, the firewall tries to ARP request the clients, but the client doesn't receive this request from the firewall IP (.13 or .14).
When we try to ping the firewall directly, not the VIP, we can see ARP request and response with no problem and we begin to receive the request from the firewall.
It's like the controllers refused to forward the ARP requests until the client try to contact this IP.
When the client first connects to the network, a gratuitous ARP is generated and we don't have the issues.
I'm not very familiar with the firewall features of the controllers, it is a normal behavior in the processing of the ARP packets ?
We try to disable the "ARP broadcast to unicast" and "drop unknow broadcast and multicast" with no result.
Thanks for your help,
------------------------------
Marc Antoine Catteau
------------------------------