I am struggling for a while now with the following:
We have two servers sitting in the same server room. Pinging from our tooling server to our SQL server, we will get request timeouts for a period of 8 - 10 min at a time. While this server is timing out I am able to ping it from different other devices on the network. The funny thing is when I connect to the Cisco switch from which that server is connecting and ping the server address the timeouts on the tooling server would stop and I would get a reply again from the sever. The switches are all WS-C3560G-24PS switches; I am attaching a basic network layout of the network.
Thank you for the reply. Yes they are all on Vlan 1 and their IP are from the same subnet. While I get the timeouts on the server I can still see the mac address on the port that it links to. From my office which comes in through the router in the diagram I am still able to remote to the server, and ping it, it seems that it is only affecting some of the users in that building. What I have done is to clear the arp-cache on the switch but still get the problem. I will have a look at the servers arp table when it gets timesout again.
Ok I did have a look in our tooling servers arp table when the server is replying and the IP and MAC is correct for the server. As soon as it started to timeout I had a look again, and the mac in the arp table point to the firewall! I have read on another forum about a command on the firewall that needs to be enabled: sysopt noproxyarp inside. I am not clued up on firewalls if someone can enlighten me please.
This command disables proxy ARP for NAT global addresses on an interface. Proxy ARP is usefull when the firewall is implenting NAT. Proxy ARP responds to ARP requests for the global addresses defined on a firewall interface. For example, if I define a global pool with two addresses (188.8.131.52 and 184.108.40.206) in the outside interface, the proxy ARP will respond to the ARP's requests directed to these IP addresses from the outside interface.
In your case, It seems a problem in the NAT definition. If NAT is OK, I think you will can disable ARP cache on the local interface.
"The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).
The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses
The thing about this firewall is, the servers and hosts in the building is not supposed to go through the firewall, it was installed to seperate a control network from the office network. It does have an IP on the office VLAN though. Would that make a difference?
I hope this issue is occuring due to sysopt noproxyarp interface name command is missing in firewall or some host based routes are there in any of your servers.
The reason being that, whenever the host want to know the destination it will used to send the ARP message,then destination will response with its own MAC address.
Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host.
ciscoasa(config)#no sysopt noproxyarp outside
Try to configure this in your firewall... the issue will be resolved
Can you check the firewall NAT configuration? It seems like the Firewall is replying with the server IP address. A possible cause is having the IP server address defined in the Firewall NAT global pool.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...