I've been fighting an issue for months where my other offices haven't been able to reach our internal web portal sporadically. I haven't had time to devote to the issue, because it was sporadic and I always had something else that took a higher priority any time the issue came up. After a particularly obnoxious few days with the issue, it got bumped up higher on the priority list and I got to devote time to it. After a lot of digging around I found the issue came down to incorrect MAC entries being sent out in response to ARP requests. It appears my firewall is answering ARP requests with its MAC for requests that are going to my router. The MPLS router is the default gateway for my network, and it passes traffic that isn't bound for the outside offices to the firewall to pass on to the internet.
So, after some reading I think my NATing is causing the firewall to answer ARP requests for my router and messing up my clients' ARP tables. I read about similar problems on this forum and there was discussion talking about ARP proxy being set by default and causing the behavior. There was a command for disabling ARP proxy, but I didn't want to toss it on my firewall without clearly understanding what it would do as I don't want to break my NATing. Anyone able to help me out and give me a broad overview of what happens when you issue the "sysopt noproxyarp Inside" command?
the above means that if a device on the outside of the firewall arps for 18.104.22.168 then the firewall will respond with the mac-address of it's outside interface. The packet will then be sent to the firewall and it will NAT the destination IP from 22.214.171.124 to 192.168.5.1
So for the majority of firewalls you would expect to have sysopt proxyarp enabled on the outside interface because it is common for internal private addresses to be presented to the outside as public IP addresses.
The inside interface is a different matter. It is not as common to need it on the inside interface because you don't often have these sort of statements -
the above means that from the inside if a device arps out for 10.228.53.6 then the firewall will respond with the mac-address of it's internal interface. The packet will be sent to the firewall and it will NAT the destination IP from 10.228.53.6 to 192.168.10.1. These sort of statics are not very common on the firewall.
So what you need to do is check your config and see if there are any NAT statements that require the firewall to respond for addresses on it's internal interface.
All of my static mappings look correct to be ARPing for the outside addresses only, as far as I can see. Since my static mappings don't appear to be an issue, that leaves me wondering about my nat statements. I can slap on the "sysopt noproxyarp Inside" after hours to experiment a bit, I just want a better understanding of what's going to happen before I work with it. That I can think of, I don't think I want my firewall doing any ARP proxying on addresses on the inside interface. I'm just trying to think if there would be any legitimate reason that I may be overlooking.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...