Netscreen - What does the command `set arp always-on-dest` do ?
By default, Netscreen (ScreenOS versions 6.0.0 or below) will cache the source MAC address from the initial packet for a new session. It will then use this MAC address for the return traffic.
This can cause problems with external routers running VRRP where traffic is sent using a Virtual IP but a physical MAC address is used as the source MAC. If the router fails over and the security device has learned the MAC from the source MAC in the incoming frame, it would then direct return traffic to the wrong location.
This can also cause problems with Track-IP were once a failover has occurred the failed MAC address is still cached and traffic is sent to the wrong location.
On entering the command `set arp always-on-dest` the Netscreen will always perform an ARP lookup to learn a destination MAC address instead of using the source MAC address of the originating ethernet frame.
By doing an ARP lookup for the destination MAC, the security device can properly send traffic to the location of the new physical MAC address.
For further information on ScreenOS versions 6.0.0 or later please see click here.