We have FWSM in our orgnization. I have a firewall analyzer for analyzing the FWSM logs.
The Firewall Analyzer is giving me these attacks:
arp poisioning arp 05 Dec 2009, 19:46:53 - %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5 arp poisioning arp 05 Dec 2009, 12:27:35 - %fwsm-4-405001: received arp request collision from 10.5.20.15/0020.3504.8269 on interface dmz5 arp poisioning arp 05 Dec 2009, 11:41:38 - %fwsm-4-405001: received arp request collision from 10.5.20.15/0006.296c.a532 on interface dmz5
Actually I asked the Administrator of the Server and he told that they have an primary server and disaster recovery server. In that day when these logs appeared in the FWSM, They powerdown the primary and up the DR server which has the same IP address but different MAC-Address.
So, my question is, they already shutdown the primary one first and up the DR next, why it shows an arp collision in the FWSM?
How long it will take fro the firewall to clear an entry from the arp taple or update the arp table with the new entry?
Actually they shutdown and powerdown the Primary server and directly turned on the disaster recovery server. I want to know how long it will take for the firewall to clear an entry from the ARP cache table?
Will the firewall erase the entry from the cache when it removed from the network directly or it will wait for 4 hours to remove the entry?
Also, If the collision happens, Is the firewall will update the ARP entry with new mac-address?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...