This Knowledgebase article provides information about the procedure used by the Neverfail servers to get the client computers to update their ARP caches during a switchover or failover.
The Neverfail server pair should be configured so that there is one active and one passive server at all times with the client computers connecting to the active server. During a switchover or failover, the servers in the pair exchange roles, which requires the client computers to be notified which physical machine is the current active server and connect to it.
The packet filter on the Neverfail server that is becoming active sends a "gratuitous ARP" (GARP) that essentially claims that the principal (public) IP address is now associated to its MAC address. This causes clients on the same subnet to stop using the previous MAC address when communicating with that IP address.
Clients that are not on the same subnet do not use the ARP cache to communicate with the IP address - rather they communicate via their default gateway specified in the routing table - so they do not see the GARP.
In the event of a failover, client applications will see their socket connection to the public IP address fail with different applications behaving in different ways: some will automatically reconnect while others will require the user to take some action to reconnect. Typically, reconnection will involve a DNS lookup to find the principal (public) IP address and then opening a socket connection to that IP address.
In a typical LAN scenario, the Primary and Secondary IP addresses are the same. Therefore, the DNS lookup returns the same IP address and the client reconnects to that IP address using the updated ARP information for the last hop in the local subnet.
In a typical WAN scenario, the Primary and Secondary principal (public) IP addresses are different. When one of the servers becomes active, it uses the DNSUpdate tool from the start scripts to register its principal (public) IP address as the one to use. DNS lookup then returns the new IP address and the client reconnects to that IP address. It can take a variable amount of time for the updated DNS information to propagate to some clients' DNS servers, so there may be some delay before those clients can attach to the new active server.