PIX 525 DoS

Unanswered Question
Sep 24th, 2009

Hi,

Im having trouble with my standby pix. After sometime the outside interface becomes insaccessible but my inside interface is still accessible. By clearing my arp table, the outside interface can now be accessible. Has anyone of you what might cause this problem? Ive already check if i have a duplicate ip, but i cant find any duplicate ip.

Here is logging of my device whenever this problems occurs..

405001: Received ARP response collision from x.x.x.x/0000.0c07.xxxx on interface outside

405001: Received ARP response collision from x.x.x.x/0000.0c07.xxxx on interface outside

405001: Received ARP response collision from x.x.x.x/0000.0c07.xxxx on interface outside

405001: Received ARP response collision from x.x.x.x/000d.xxxx.xxxx on interface outside

405001: Received ARP response collision from x.x.x.x/0000.0c07.xxxx on interface outside

405001: Received ARP response collision from x.x.x.x/000d.xxxx.xxxx on interface outside

106021: Deny icmp reverse path check from y.y.y.y to x.x.x.x on interface outside

106021: Deny icmp reverse path check from y.y.y.y to z.z.z.z on interface outside

405001: Received ARP response collision from x.x.x.x/0000.0c07.xxxx on interface outside

405001: Received ARP response collision from x.x.x.x/000d.xxxx.xxxx on interface outside

106021: Deny icmp reverse path check from y.y.y.y to x.x.x.x on interface outside

106021: Deny icmp reverse path check from y.y.y.y to z.z.z.z on interface outside

405001: Received ARP response collision from x.x.x.x/0000.0c07.xxxx on interface outside

405001: Received ARP response collision from x.x.x.x/000d.xxxx.xxxx on interface outside

hope you could help me.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
platinum_jem Thu, 09/24/2009 - 23:23

Did you try finding out who is holding the MAC addr of the reported collision party ?

It should be some devices in the same subnet as the outside interface IP.

rc.castillo Thu, 09/24/2009 - 23:30

hi,

the mac addres of the reported collision are from two valid sources with different ip. the outside interface seems to be confused with this. Is this the cause? Is it possible to statically bind the mac address of the standby pix to its ip add?

Thanks

platinum_jem Fri, 09/25/2009 - 00:08

The problem is not with the standby PIX unable to bind to its own mac address.

If you have a ARP collision, when other devices in the subnet performs ARP on the relevant IP, the incorrect party will sometimes reply faster than the PIX, which will result in packets being redirected to another device instead. Thus causing non responsiveness.

When you say "Cannot access", where are you accessing the Outside Interface from ?

Trace the path inwards until you reach the device just before reaching the PIX. You can then fix a static ARP there so that it doesn't do dynamic ARP for that particular IP.

Hope this helps.

rc.castillo Fri, 09/25/2009 - 00:29

Hi,

im accessing it from the outside. From my scenario, when i'm not able to access the outside interface of the standby, what i'll do is access it through its inside. This is also true when im on the inside network.

Any suggestions to what might have been the cause? And what is the workaround for this? Could it be that the outside physical port is problematic? But i can't see any errors on the said port..

hope you can help

platinum_jem Fri, 09/25/2009 - 07:12

Perhaps you can provide a network diagram with the PIX and the outside network (preferably with IP Addresses), i can explain to you more in detail.

The only way to workaround is to set a static ARP for the standby PIX outside interface on the next hop device.

rc.castillo Sun, 09/27/2009 - 15:36

Hi,

My primary and standby pix is connected to a single switch. 2 routers in hsrp are also connected via this switch. All outside interfaces are on the same vlan. The next hop of the pix is the router. Lets say that my outside ip for standby pix is 1.1.1.3 and the ip for primary pix is 1.1.1.2. For the router lets say that its outside is 1.1.1.4 and 1.1.1.5 with a VIP of 1.1.1.1.

should i set a static arp on the router for the standby pix?

thanks.

platinum_jem Mon, 09/28/2009 - 07:43

Yes, configure static ARP on both the HSRP routers for the standby pix (1.1.1.3).

That should prevent anymore ARP hijacks.

rc.castillo Wed, 09/30/2009 - 23:41

isnt it that when i statically assign the mac of the standby pix to the router's, i will have a problem when there comes a time that a failover occurs?

the issue that i am having is that the mac of primary is being used by the VIP of the router. Is this because i am having a collision?

Any other suggestions?

Hope you could help.

rc.castillo Wed, 09/30/2009 - 23:42

is there a way from i which i can map the mac of the standby to its ip?

platinum_jem Thu, 10/01/2009 - 00:03

>>isnt it that when i statically assign the mac of the standby pix to the router's, i will have a problem when there comes a time that a failover occurs?

If this is the Physical IP Address of the standby PIX, it shouldn't matter because ultimately it belongs to the standby PIX.

>>the issue that i am having is that the mac of primary is being used by the VIP of the router. Is this because i am having a collision?

The VIP will always match the physical MAC of the Active PIX under normal condition.

---------------

What im saying here is, IF the Physical IP Address of the standby is experiencing IP conflicts, you can just configure a static ARP in the routers to workaround the problem.

This has nothing got to do with the VIP (unless your VIP is also experiencing IP conflicts as well, then its a different issue)

rc.castillo Thu, 10/01/2009 - 00:49

Hi,

>>The VIP will always match the physical MAC of the Active PIX under normal condition.

do you have any documentation for this?if so why?

>>What im saying here is, IF the Physical IP Address of the standby is experiencing IP conflicts, you can just configure a static ARP in the routers to workaround the problem.

do you mean the failover ip? is the failover ip the physical ip of the standby pix? I Have a cable-based failover?

Thanks

rc.castillo Thu, 10/01/2009 - 00:59

why is it that i dont have a value for the arp tble counter? is this because of the collision or bug?

Stateful Failover Logical Update Statistics

Link : stateful

Stateful Obj xmit xerr rcv rerr

General 234413 0 98283969 0

sys cmd 234413 0 234413 0

up time 0 0 2 0

xlate 0 0 4672 0

tcp conn 0 0 98044436 0

udp conn 0 0 446 0

ARP tbl 0 0 0 0

RIP Tbl 0 0 0 0

Actions

This Discussion