Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM: ARP Collision and Poisoning

Dear All

We have FWSM in our orgnization. I have a firewall analyzer for analyzing the FWSM logs.

The Firewall Analyzer is giving me these attacks:

arp poisioning    arp    05 Dec 2009, 19:46:53    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5 
arp poisioning    arp    05 Dec 2009, 12:27:35    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0020.3504.8269 on interface dmz5 
arp poisioning    arp    05 Dec 2009, 11:41:38    -    %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5

Are these attacks are true or false?

Thanks,

4 REPLIES
Cisco Employee

Re: FWSM: ARP Collision and Poisoning

What this log mean is that the module received an ARP packet, and the MAC address in the packet differs from  the ARP cache entry.

In other words 2 hosts are using the ip 10.5.20.15.

On the switch do a "sh mac-address-table | i 8269" and a "sh mac-address-table | i a532" to see where these macs are connected to and track this hosts down.

I hope it helps.

PK

Community Member

Re: FWSM: ARP Collision and Poisoning

Dear PK

Thanks very much for your reply,

Actually I asked the Administrator of the Server and he told that they have an primary server and disaster recovery server. In that day when these logs appeared in the FWSM, They powerdown the primary and up the DR server which has the same IP address but different MAC-Address.

So, my question is, they already shutdown the primary one first and up the DR next, why it shows an arp collision in the FWSM?

How long it will take fro the firewall to clear an entry from the arp taple or update the arp table with the new entry?

Thanks for the help.

Cisco Employee

Re: FWSM: ARP Collision and Poisoning

"sh run arp" should tell you the arp timeout. It is usually 4 hours by default.

If they already turned it off then, we shouldn't be seeing these messages.

issue "clear logg buffer" and watch the logs again "sh logg | i 405001" and see if you still see these messages.

-KS

Community Member

Re: FWSM: ARP Collision and Poisoning

Dear KS

Thanks for your help,

Actually they shutdown and powerdown the Primary server and directly turned on the disaster recovery server. I want to know how long it will take for the firewall to clear an entry from the ARP cache table?

Will the firewall erase the entry from the cache when it removed from the network directly or it will wait for 4 hours to remove the entry?

Also, If the collision happens, Is the firewall will update the ARP entry with new mac-address?

Thanks and Best Regards,

2797
Views
0
Helpful
4
Replies
CreatePlease to create content