FWSM: ARP Collision and Poisoning

Unanswered Question
Jan 20th, 2010

Dear All

We have FWSM in our orgnization. I have a firewall analyzer for analyzing the FWSM logs.

The Firewall Analyzer is giving me these attacks:

arp poisioning    arp    05 Dec 2009, 19:46:53    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5 
arp poisioning    arp    05 Dec 2009, 12:27:35    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0020.3504.8269 on interface dmz5 
arp poisioning    arp    05 Dec 2009, 11:41:38    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5

Are these attacks are true or false?

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Wed, 01/20/2010 - 16:01

What this log mean is that the module received an ARP packet, and the MAC address in the packet differs from  the ARP cache entry.

In other words 2 hosts are using the ip 10.5.20.15.

On the switch do a "sh mac-address-table | i 8269" and a "sh mac-address-table | i a532" to see where these macs are connected to and track this hosts down.

I hope it helps.

PK

Ahmad Samir Thu, 01/21/2010 - 04:12

Dear PK

Thanks very much for your reply,

Actually I asked the Administrator of the Server and he told that they have an primary server and disaster recovery server. In that day when these logs appeared in the FWSM, They powerdown the primary and up the DR server which has the same IP address but different MAC-Address.

So, my question is, they already shutdown the primary one first and up the DR next, why it shows an arp collision in the FWSM?

How long it will take fro the firewall to clear an entry from the arp taple or update the arp table with the new entry?

Thanks for the help.

Kureli Sankar Thu, 01/21/2010 - 05:03

"sh run arp" should tell you the arp timeout. It is usually 4 hours by default.

If they already turned it off then, we shouldn't be seeing these messages.

issue "clear logg buffer" and watch the logs again "sh logg | i 405001" and see if you still see these messages.

-KS

Ahmad Samir Sun, 01/24/2010 - 00:46

Dear KS

Thanks for your help,

Actually they shutdown and powerdown the Primary server and directly turned on the disaster recovery server. I want to know how long it will take for the firewall to clear an entry from the ARP cache table?

Will the firewall erase the entry from the cache when it removed from the network directly or it will wait for 4 hours to remove the entry?

Also, If the collision happens, Is the firewall will update the ARP entry with new mac-address?

Thanks and Best Regards,

Actions

This Discussion