OACI private network communication is broken: foreign ARP replies

Modified on: Thu, 23 Jan, 2020 at 5:42 AM

Operations Automation Operations Automation:7.1 Operations Automation:7.x

Symptoms

Communication over private networks is broken for some customers in the OACI infrastructure.

Traffic captures show ARP response coming from some foreign MAC address that are outside of OACI.

Cause

Two different Virtuozzo infrastructures are joined into the same internal network. Virtuozzo 7 nodes have proxy_arp feature enabled by default, which entails responding to any ARP requests for IPs that are outside of backnet NIC network, but are reachable over other NICs.

Resolution

The issue is specific to Virtuozzo 7 networking.

As a fast workaround, proxy_arp feature should be disabled on the Virtuozzo 7 nodes that are inside the same network as OACI nodes, but are not registered in OACI:

# sysctl -w net.ipv4.conf.all.proxy_arp=0

Note that disabling proxy_arp feature breaks host-routed network connectivity for Virtuozzo virtual machines. It will only be possible to use bridged network type for VMs.

Internal content

Did you find it helpful? Yes No