Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

duplicate MAC of PIX interface

hi,

there is a problem about duplicate pix mac. I has

a linux dns server with 2 interfaces in pix dnz interface. the two interfaces has the same subnet.

one interface is for inside dns query. another is for outside query. sometimes. the dns server can't work properly. we found the arp of dns is the mac of pix dmz interface. we changed the switch and linux NICs. sometimes work but sometimes not work. PIX with 6.2.3 (GD). Does anyone has the same situation ?

best regards.

fred.

1 REPLY
Silver

Re: duplicate MAC of PIX interface

Depending upon how the pix is setup, you can see the pix arping on behalf of the clients for the dns server, using the same mac address but different ip addresses. This is how proxy arp works, and is normal to see.

Can you diagram your topology. You mentioned two interfaces on a dns server that are in the same subnet, why is that? If your dns server is behind a pix, you only need one interface on the dns server and it makes routing much easier.

I believe that your issue lies in the reply packets from the dns server; with two interfaces if the reply address uses interface 2's address but the request went to interface 1's address the pix will reject the reply as it will break any session-state info that the pix has.

Try running with just one address on your dns server, and adveritse it using one address on the pix's outside interface and another using the pix's inside interface and configure the pix to handle the security.

96
Views
0
Helpful
1
Replies
CreatePlease to create content