×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX does not answer arp request

Unanswered Question
Feb 17th, 2006
User Badges:

I've added a server (Proliant 3000, WIndows 2000 SP4) in the DMZ, but the PIX doesn't answer his ARP request. The access-list are OK. If i enter statics entries in the ARP tables (PIX and Server), they can communicate normally, but without these lines, nothing works, the PIX doesn't answer. Why? is there any configuration to add to the PIX? THe server is able to ping all the other servers in the DMZ.


Thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jarathbu Sun, 02/19/2006 - 18:51
User Badges:
  • Bronze, 100 points or more

Hello,


Is the PIX configured as the server's default gateway? Do the IPs and subnetmasks match for the DMZ link? Do you have this same issue for inside devices? Did you try debug arp on the pix?



Hope this helps.



Regards,



James

pnparadis Mon, 02/20/2006 - 11:14
User Badges:

The PIX is the default gateway ans the IP and subnet is the good one.


I have added manual arp entries in both the PIX and the server and it worked... However, I would like to found a "real" solution...

jarathbu Mon, 02/20/2006 - 17:25
User Badges:
  • Bronze, 100 points or more

Hello,


I recreated this with a simple topology:


pc---switch---pix


There is nothing special required to add on either the host or the PIX for the ARP process to work correctly. Notice in the attachment that PC shows a dynamic entry for 8.8.8.1 - DMZ2 interface for the PIX and after clearing the ARP on the PIX, the PIX correctly populates its ARP cache.


The other servers in the DMZ that your server can ping - are they located on the same switch? Is the PIX attached to the same switch as well? Do you see correct CAM/MAC entries on all the respective ports?



Hope this helps.



Regards,



James



Attachment: 
pnparadis Wed, 02/22/2006 - 06:10
User Badges:

Hi!


The others servers are on the same switch, the PIX too. No configurations have been made on the switch, I have not seen anything wrong. Tha MAC address table is ok.


If I connect a PC in the DMZ it work well, but not this server.


The other servers are plugged in two switchs, with two teamed NIC. This server has only one NIC, I don't know if it can change something?


After clearing the arp cache, it populate correctly, but not for this server.


regards

Pierre-Nicolas

mpalardy Wed, 02/22/2006 - 08:04
User Badges:
  • Bronze, 100 points or more

Hi Pierre,


There's may be a misconfiguration on the pix configuration. (static, nat, subnet mask etc...)


In order to be sure and to eliminate the possibility of a misconfiguration on the server, I'd suggest the following.

1-Remove server from the switch.

2-Clear all arp entries

3-Ask for Richard to put is Fluke-device in the switch w/ the same ip/mask and switch port of the server.

4-See the behaviour of the arp request.


Oh sorry, you have already try this with a PC (was the ip the same as the server?)


I remember, in a previous pix version, seeing a bug on cisco.com reporting unsupported MAC address range for hosts. May be you will use Richard's fluke to do this test.


(cco required)

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdt47829&cco_product=PIX+Firewall&fset=&swver=&keyw=MAC&target=&train=


HTH

Mike


pnparadis Wed, 02/22/2006 - 09:41
User Badges:

Guess what? The MAC of the server is 0008.xxxx.xxxx and the PIX version is 6.1 (2).

I'll look at the workarounds suggested.


Thank you!


Regards


Pierre-Nicolas


mpalardy Wed, 02/22/2006 - 10:37
User Badges:
  • Bronze, 100 points or more

How lucky you are, you even took care of changing arp-info (for security purpose pensais-je) in a debug output posted here...But eventually you would have found the link by yourself, I'm sure!

:)

Actions

This Discussion