cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
653
Views
0
Helpful
11
Replies

PIX525 problem

rc.castillo
Level 1
Level 1

hi,

we've been experiencing pix hangup wherein we cannot ping its same subnet ip's and gateway. after rebooting, the condition seems to normalize.

does it have something to do with this logs?

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

11 Replies 11

andrew.prince
Level 10
Level 10

Looks like you have 2 devcies configured with either the same IP address or the same mac address.

Investigate the config of your equipment and any other 3rd party kit.

HTH>

hi sir,

does this contribute on me not being able to access the failover pix?

Thanks.

It will have some impact on this - if you have mis-configured your failover incorrectly, yes.

how about the possibility of having some form of attack? i.e. arp poisoning, dos?

Well that could be a cause - but I would have thought that the device would have been setup/configured correctly with:-

"ip verify reverse-path interface outside"

&

"sysopt noproxyarp outside"

yes sir it is configured with "ip verify reverse-path interface outside" but there is no "sysopt noproxyarp outside". is this command supported for ver 6.3

I know it is available in 6.3(4) - what ver are you running?

im using 6.3(5). just want to clarify, what does this syntax do?

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request and asks "Who is this IP address?". The device that owns the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host.

would this have an impact on the network when you disable proxy arp?i.e. nat

Yes it will - it will directly impact any "Static" nat configuration you have.

As the outside interface has a specific IP address in a range - if you have a static NAT in that range for an internal host, the pix HAS to answer for it, even though it's IP is differnet, the next host layer 2 deivce will have multiple arp entries containing the outside interface MAC address.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: