cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
553
Views
0
Helpful
7
Replies

PIX does not answer arp request

pnparadis
Level 1
Level 1

I've added a server (Proliant 3000, WIndows 2000 SP4) in the DMZ, but the PIX doesn't answer his ARP request. The access-list are OK. If i enter statics entries in the ARP tables (PIX and Server), they can communicate normally, but without these lines, nothing works, the PIX doesn't answer. Why? is there any configuration to add to the PIX? THe server is able to ping all the other servers in the DMZ.

Thank you!

7 Replies 7

jarathbu
Level 1
Level 1

Hello,

Is the PIX configured as the server's default gateway? Do the IPs and subnetmasks match for the DMZ link? Do you have this same issue for inside devices? Did you try debug arp on the pix?

Hope this helps.

Regards,

James

The PIX is the default gateway ans the IP and subnet is the good one.

I have added manual arp entries in both the PIX and the server and it worked... However, I would like to found a "real" solution...

Hello,

I recreated this with a simple topology:

pc---switch---pix

There is nothing special required to add on either the host or the PIX for the ARP process to work correctly. Notice in the attachment that PC shows a dynamic entry for 8.8.8.1 - DMZ2 interface for the PIX and after clearing the ARP on the PIX, the PIX correctly populates its ARP cache.

The other servers in the DMZ that your server can ping - are they located on the same switch? Is the PIX attached to the same switch as well? Do you see correct CAM/MAC entries on all the respective ports?

Hope this helps.

Regards,

James

Hi!

The others servers are on the same switch, the PIX too. No configurations have been made on the switch, I have not seen anything wrong. Tha MAC address table is ok.

If I connect a PC in the DMZ it work well, but not this server.

The other servers are plugged in two switchs, with two teamed NIC. This server has only one NIC, I don't know if it can change something?

After clearing the arp cache, it populate correctly, but not for this server.

regards

Pierre-Nicolas

Hi Pierre,

There's may be a misconfiguration on the pix configuration. (static, nat, subnet mask etc...)

In order to be sure and to eliminate the possibility of a misconfiguration on the server, I'd suggest the following.

1-Remove server from the switch.

2-Clear all arp entries

3-Ask for Richard to put is Fluke-device in the switch w/ the same ip/mask and switch port of the server.

4-See the behaviour of the arp request.

Oh sorry, you have already try this with a PC (was the ip the same as the server?)

I remember, in a previous pix version, seeing a bug on cisco.com reporting unsupported MAC address range for hosts. May be you will use Richard's fluke to do this test.

(cco required)

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdt47829&cco_product=PIX+Firewall&fset=&swver=&keyw=MAC&target=&train=

HTH

Mike

Guess what? The MAC of the server is 0008.xxxx.xxxx and the PIX version is 6.1 (2).

I'll look at the workarounds suggested.

Thank you!

Regards

Pierre-Nicolas

How lucky you are, you even took care of changing arp-info (for security purpose pensais-je) in a debug output posted here...But eventually you would have found the link by yourself, I'm sure!

:)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco