03-10-2010 02:11 AM - edited 03-06-2019 10:04 AM
Good day all.
I am struggling for a while now with the following:
We have two servers sitting in the same server room. Pinging from our tooling server to our SQL server, we will get request timeouts for a period of 8 - 10 min at a time. While this server is timing out I am able to ping it from different other devices on the network. The funny thing is when I connect to the Cisco switch from which that server is connecting and ping the server address the timeouts on the tooling server would stop and I would get a reply again from the sever. The switches are all WS-C3560G-24PS switches; I am attaching a basic network layout of the network.
Any help would be appreciated.
Thank you,
03-10-2010 03:05 AM
Hello Natius,
I suppose that both servers are in the same VLAN and their IP's are from the same subnet range.
It sounds like a problem with the switch mac address table or the server arp cache. Can you view the mac address table before and after the ping issue?
Best regards,
César.
03-10-2010 08:45 PM
Thank you for the reply. Yes they are all on Vlan 1 and their IP are from the same subnet. While I get the timeouts on the server I can still see the mac address on the port that it links to. From my office which comes in through the router in the diagram I am still able to remote to the server, and ping it, it seems that it is only affecting some of the users in that building. What I have done is to clear the arp-cache on the switch but still get the problem. I will have a look at the servers arp table when it gets timesout again.
03-10-2010 10:40 PM
Ok I did have a look in our tooling servers arp table when the server is replying and the IP and MAC is correct for the server. As soon as it started to timeout I had a look again, and the mac in the arp table point to the firewall! I have read on another forum about a command on the firewall that needs to be enabled: sysopt noproxyarp inside. I am not clued up on firewalls if someone can enlighten me please.
Thank you.
03-11-2010 12:43 AM
Hello Natius,
This command disables proxy ARP for NAT global addresses on an interface. Proxy ARP is usefull when the firewall is implenting NAT. Proxy ARP responds to ARP requests for the global addresses defined on a firewall interface. For example, if I define a global pool with two addresses (80.80.80.20 and 80.80.80.21) in the outside interface, the proxy ARP will respond to the ARP's requests directed to these IP addresses from the outside interface.
In your case, It seems a problem in the NAT definition. If NAT is OK, I think you will can disable ARP cache on the local interface.
A ARP proxy cache better explanation:
http://www.cisco.com/en/US/docs/security/pix/pix52/firewall/configuration/guide/commands.html
"The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).
The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses
To disable Proxy ARPs on the inside interface:
sysopt noproxyarp inside.
To enable Proxy ARPs on the inside interface:
no sysopt noproxyarp inside."
Best regards,
César.
03-11-2010 01:06 AM
The thing about this firewall is, the servers and hosts in the building is not supposed to go through the firewall, it was installed to seperate a control network from the office network. It does have an IP on the office VLAN though. Would that make a difference?
03-11-2010 02:05 AM
Hi,
I hope this issue is occuring due to sysopt noproxyarp interface name command is missing in firewall or some host based routes are there in any of your servers.
The reason being that, whenever the host want to know the destination it will used to send the ARP message,then destination will response with its own MAC address.
Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host.
ciscoasa(config)#no sysopt noproxyarp outside
Try to configure this in your firewall... the issue will be resolved
Regards
Karuppu
03-11-2010 02:07 AM
Can you check the firewall NAT configuration? It seems like the Firewall is replying with the server IP address. A possible cause is having the IP server address defined in the Firewall NAT global pool.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: