a linux dns server with 2 interfaces in pix dnz interface. the two interfaces has the same subnet.
one interface is for inside dns query. another is for outside query. sometimes. the dns server can't work properly. we found the arp of dns is the mac of pix dmz interface. we changed the switch and linux NICs. sometimes work but sometimes not work. PIX with 6.2.3 (GD). Does anyone has the same situation ?
Depending upon how the pix is setup, you can see the pix arping on behalf of the clients for the dns server, using the same mac address but different ip addresses. This is how proxy arp works, and is normal to see.
Can you diagram your topology. You mentioned two interfaces on a dns server that are in the same subnet, why is that? If your dns server is behind a pix, you only need one interface on the dns server and it makes routing much easier.
I believe that your issue lies in the reply packets from the dns server; with two interfaces if the reply address uses interface 2's address but the request went to interface 1's address the pix will reject the reply as it will break any session-state info that the pix has.
Try running with just one address on your dns server, and adveritse it using one address on the pix's outside interface and another using the pix's inside interface and configure the pix to handle the security.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...