01-20-2010 11:39 AM - edited 03-11-2019 09:59 AM
Dear All
We have FWSM in our orgnization. I have a firewall analyzer for analyzing the FWSM logs.
The Firewall Analyzer is giving me these attacks:
arp poisioning arp 05 Dec 2009, 19:46:53 - %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5
arp poisioning arp 05 Dec 2009, 12:27:35 - %fwsm-4-405001: received arp request collision from 10.5.20.15/0020.3504.8269 on interface dmz5
arp poisioning arp 05 Dec 2009, 11:41:38 - %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5
Are these attacks are true or false?
Thanks,
01-20-2010 04:01 PM
What this log mean is that the module received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
In other words 2 hosts are using the ip 10.5.20.15.
On the switch do a "sh mac-address-table | i 8269" and a "sh mac-address-table | i a532" to see where these macs are connected to and track this hosts down.
I hope it helps.
PK
01-21-2010 04:12 AM
Dear PK
Thanks very much for your reply,
Actually I asked the Administrator of the Server and he told that they have an primary server and disaster recovery server. In that day when these logs appeared in the FWSM, They powerdown the primary and up the DR server which has the same IP address but different MAC-Address.
So, my question is, they already shutdown the primary one first and up the DR next, why it shows an arp collision in the FWSM?
How long it will take fro the firewall to clear an entry from the arp taple or update the arp table with the new entry?
Thanks for the help.
01-21-2010 05:03 AM
"sh run arp" should tell you the arp timeout. It is usually 4 hours by default.
If they already turned it off then, we shouldn't be seeing these messages.
issue "clear logg buffer" and watch the logs again "sh logg | i 405001" and see if you still see these messages.
-KS
01-24-2010 12:46 AM
Dear KS
Thanks for your help,
Actually they shutdown and powerdown the Primary server and directly turned on the disaster recovery server. I want to know how long it will take for the firewall to clear an entry from the ARP cache table?
Will the firewall erase the entry from the cache when it removed from the network directly or it will wait for 4 hours to remove the entry?
Also, If the collision happens, Is the firewall will update the ARP entry with new mac-address?
Thanks and Best Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: