Gateway Enforcers in Failover Configuration Creates Packet Storm

Article:TECH103067  |  Created: 2007-01-10  |  Updated: 2014-09-18  |  Article URL
Article Type
Technical Solution


Two Gateway Enforcers configured for failover will create an ARP packet storm on the network.

A switch configured for Spanning Tree Protocol (STP) immediately blocks the port to which a fail-over Gateway Enforcer is connected.



High level of ARP requests on a network with two Gateway Enforcers.

When starting two Gateway Enforcers in fail-over configuration, the switch closes/blocks the port to which a Gateway Enforcer is connected.

Two Gateway Enforcers installed with fail open NICs create a packet storm when both are connected to the switch (even before the Enforcers are turned on).


Gateway Enforcers connected to a network environment with Spanning Tree Protocol (STP) enabled


This issue has two causes:

A switch with Spanning Tree Protocol (STP) enabled will check for activity on a port whenever a a device is connected to it.   Two Gateway Enforcers configured for fail-over will each start in an active state until one receives a keep-alive packet from the other.  Once the keep-alive packet is received, one of the Enforcers will change to a Standby state, and will only revert to Active when the keep-alive packets are no longer detected.

A Fail-open Gateway Enforcer that is powered off is equal to a cross over cable (directly bridging Eth0 and Eth1) which, when running in parallel to an Active Gateway Enforcer, creates a packet loop.


When two Gateway Enforcers without fail-open NICs are configured for fail-over (two Enforcers connected side-by-side) and connected to a switch with STP enabled, disable Portfast for the ports to which the two Gateway Enforcers are connected.  This will allow the two Enforcers to send and receive keep alive packets to each other and maintain the appropriate active/standby state.    If Portfast is enabled, the switch will detect a spanning-tree breach and block one of the ports to which the Enforcers are connected, preventing the two Enforcers from managing their own active/standy states.

Gateway Enforcers with fail-open NICs should be used in a stand-alone configuration only.


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices