Forever changing MAC addresses!

Unanswered Question
Oct 3rd, 2008

We are having an issue with a connection to a partner network. We have two Pix firewalls in Active/Standby mode (running 6.3(3)), the partner has two Pix 506E installed on our site that link back to their network. There are two cisco switches in between the firewalls with no special security features enabled on any of the ports. All devices are on a single subnet.

We have no view of their configuration and they will not discuss the configuration on their firewalls. They simply say that the same configuration works at other sites.

The problem we have is that FTP stops working every so often (approx 4 hrs) and we can only get it going again by clearing the arp cache. See below.

! FTP not working ARP cache

show arp

int_partner XXX.XXX.1.1 000d.8811.7e52

int_partner XXX.XXX.1.99 0016.c827.6673 <--

int_partner XXX.XXX.1.88 0016.c827.65f8 <--

int_partner XXX.XXX.1.2 000f.8f1c.81c0

int_partner XXX.XXX.1.3 000f.8f1c.7d80

!

Clear ARP

ping XXX.XXX.1.88

ping XXX.XXX.1.99

show arp

! FTP working ARP cache

int_partner XXX.XXX.1.1 000d.8811.7e52

int_partner XXX.XXX.1.99 0016.c827.65f8 <--

int_partner XXX.XXX.1.88 0016.c827.6673 <--

int_partner XXX.XXX.1.3 000f.8f1c.7d80

int_partner XXX.XXX.1.2 000f.8f1c.81c0

!

As can be seen the .88 & .99 IP addresses have swapped MAC addresses. This is not normal behavour on networks and I believe it is caused by their internal routing through the firewalls. The .88 & .99 addresses are nat'ed addresses because the same MACs are shown with their firewalls interface IP addresses.

Because they will not do anything with the configuration at their end, can anyone suggest any ways of limiting the effects of the problem.

I can lower the ARP cache timeout, but I need to be able to clear the arp cache or at least do something to up date the cache at regular intervals with the changed MACs. I would like to try use the RTR command but this isn't available on 6.3 and upgrading isn't currently possible.

Any ideas?

Mel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Thu, 10/09/2008 - 13:31

The "arp timeout" command specifies the duration to wait before the ARP table rebuilds itself, automatically updating new host information. This feature is also known as the ARP persistence timer. The no arp timeout command resets the ARP persistence timer to its default value. The show arp timeout command displays the current timeout value.Set the arp timeout to a alower value so that the arp table is refreshed at regular intervals which solves the issue.

Refer the following url for more information about the arp timeout command:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1127855

Actions

This Discussion