PIX525 problem

Unanswered Question
Sep 3rd, 2009

hi,

we've been experiencing pix hangup wherein we cannot ping its same subnet ip's and gateway. after rebooting, the condition seems to normalize.

does it have something to do with this logs?

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.manosca Fri, 09/04/2009 - 00:18

hi sir,

does this contribute on me not being able to access the failover pix?

Thanks.

rc.castillo Fri, 09/04/2009 - 01:20

how about the possibility of having some form of attack? i.e. arp poisoning, dos?

rc.castillo Fri, 09/04/2009 - 01:56

yes sir it is configured with "ip verify reverse-path interface outside" but there is no "sysopt noproxyarp outside". is this command supported for ver 6.3

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request and asks "Who is this IP address?". The device that owns the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host.

rc.castillo Fri, 09/04/2009 - 02:30

would this have an impact on the network when you disable proxy arp?i.e. nat

Yes it will - it will directly impact any "Static" nat configuration you have.

As the outside interface has a specific IP address in a range - if you have a static NAT in that range for an internal host, the pix HAS to answer for it, even though it's IP is differnet, the next host layer 2 deivce will have multiple arp entries containing the outside interface MAC address.

Actions

This Discussion