Hi Martin,

I found the devices with those MAC.

000f.28a8.7740 is a cisco 2950 Switch with management IP 192.168.121.2

and 0005.5f7b.d806 is also a cisco switch with IP 212.71.34.53

These two devices are connected to the FWSM.The Interface IP and MAC for the FWSM are 213.210.211.2/000f.23bf.7700

All are connected on the same VLAN.

Am i getting this message because three diferent IP subnets are connected on the same L2 VLAN?

ashish

Hello ashish,

the exact meaning of the message can be found at

http://www.cisco.com/en/US/products/hw/switches/ps708/products_system_message_guide_chapter09186a0080224d47.html#wp1058125

You wrote three subnets are on the same VLAN. What is the default gateway? I am thinking about proxy arp - could that be the reason for the observed behaviour?

Hope this helps! Please rate all posts.

Regards, Martin

Hi Martin,

Thanks a lot.The problem is solved.I am not getting the messages after I matched the subnet mask of FWSM interface 213.210.211.2/25 with that of ROU-01 213.210.211.1/25(Find attached the diagram)

It looks like the Proxy ARP issue.But wandering why I was getting IP collision kind of messages insted of MAC collision(as in Proxy ARP scenarios)

Thanks Again

Ashish

Hello,

you did not get an IP collision, but an ARP collision, i.e. two devices were answering an ARP request to resolve 213.210.211.2 - one was the FWSW, because it has the IP and the others were "routers" answering through proxy ARP.

The ARP request basically got answered by all of them because the destination MAC is FF.FF.FF.FF.FF.FF and therefore read by all hosts on the same VLAN.

In your setup none of the "routers" could know that they all are on the same VLAN, therefore the proxy arp kicked in and the FWSW seeing all the ARP replies was giving the message above.

The security background is, that there is software out to become man-in-the-middle by answering the ARP request for the default gateway by the Hacker PC and therefore attrackting all traffic in the LAN. The software is smart enough to even forward the traffic to the default gateway after that, so users might not be suspicious because they finally get connectivity.

The FWSW is just warning you, that this might be the case.

Hope this helps! Please rate all posts.

Regards, Martin

Why FWSM show the same MAC address(000e.8465.4a80) on all interfaces?

Interface vlan10 "management", is up, line protocol is up

MAC address 000e.8465.4a80, MTU 1500

IP address 192.168.97.137, subnet mask 255.255.255.224

Interface Vlan20 "failover", is up, line protocol is up

MAC address 000e.8465.4a80, MTU 1500

IP address 10.10.10.1, subnet mask 255.255.255.252

Interface vlan30 "outside", is up, line protocol is up

MAC address 000e.8465.4a80, MTU 1500

IP address 192.168.94.68, subnet mask 255.255.255.224

Interface vlan40 "dmz", is up, line protocol is up

MAC address 000e.8465.4a80, MTU 1500

IP address 192.168.65.254, subnet mask 255.255.255.192

Interface vlan100 "inside", is up, line protocol is up

MAC address 000e.8465.4a80, MTU 1500

IP address 10.1.1.1, subnet mask 255.255.255.224

Hello,

this is normal according to the "Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2" in the section "Failover Overview" at

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802010c0.html#wp1044735

"The FWSM has one MAC address for all interfaces."

I guess this makes failover more simple and faster to achieve.

Hope this helps! Please rate all posts.

Regards, Martin

thanks for the reply.

my situation is simaler to the page 15-6 in the above link: FWSM failure only. It didn't failover to the stanby unit.

The difference is in my production there's 2 outside switches cat3550 between the 6500s and the border routers. Currently, the 2 external switches(cat3550) are pramary/2nd root bridges for the outside vlan200.

So the FWSM outside interfaces' vlan 200 are both in forwarding mode to the outside switches. And they are in blocking mode on the trunk for vlan200 on the standby fwsm.

when we reboot the active FWSM, the standby unit didn't take over.

I can bi-directionally ping all interfaces to/from both FWSMs except the outside vlan200.

So my question is the FWSM interface vlan 200 is supposed to cross the trunk? or it can be over the external switches?

This should not be a problem when the mac-address is used on different broadcast domains (which vlan interfaces represent).

Why? Maybe to save some addresses, Cisco doesn't know how many vlan's your about to implement and cannot reserve numerous mac addresses for these purposes.

Erik