cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3109
Views
0
Helpful
4
Replies

FWSM: ARP Collision and Poisoning

Ahmad Samir
Level 1
Level 1

Dear All

We have FWSM in our orgnization. I have a firewall analyzer for analyzing the FWSM logs.

The Firewall Analyzer is giving me these attacks:

arp poisioning    arp    05 Dec 2009, 19:46:53    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5 
arp poisioning    arp    05 Dec 2009, 12:27:35    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0020.3504.8269 on interface dmz5 
arp poisioning    arp    05 Dec 2009, 11:41:38    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5

Are these attacks are true or false?

Thanks,

4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

What this log mean is that the module received an ARP packet, and the MAC address in the packet differs from  the ARP cache entry.

In other words 2 hosts are using the ip 10.5.20.15.

On the switch do a "sh mac-address-table | i 8269" and a "sh mac-address-table | i a532" to see where these macs are connected to and track this hosts down.

I hope it helps.

PK

Dear PK

Thanks very much for your reply,

Actually I asked the Administrator of the Server and he told that they have an primary server and disaster recovery server. In that day when these logs appeared in the FWSM, They powerdown the primary and up the DR server which has the same IP address but different MAC-Address.

So, my question is, they already shutdown the primary one first and up the DR next, why it shows an arp collision in the FWSM?

How long it will take fro the firewall to clear an entry from the arp taple or update the arp table with the new entry?

Thanks for the help.

"sh run arp" should tell you the arp timeout. It is usually 4 hours by default.

If they already turned it off then, we shouldn't be seeing these messages.

issue "clear logg buffer" and watch the logs again "sh logg | i 405001" and see if you still see these messages.

-KS

Dear KS

Thanks for your help,

Actually they shutdown and powerdown the Primary server and directly turned on the disaster recovery server. I want to know how long it will take for the firewall to clear an entry from the ARP cache table?

Will the firewall erase the entry from the cache when it removed from the network directly or it will wait for 4 hours to remove the entry?

Also, If the collision happens, Is the firewall will update the ARP entry with new mac-address?

Thanks and Best Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: