01-12-2006 04:10 PM - edited 03-09-2019 01:36 PM
I have a FWSM 2.3.1 running in routed mode on 6509.In the syslog server I keep on getting the following messages simultaneously
"Received ARP response collision from 213.210.211.2/0005.5f7b.d806 on interface NOC"
"Received ARP response collision from 213.210.211.2/000f.28a8.7740 on interface NOC"
the show interface output comes as
Interface vlan480 "NOC", is up, line protocol is up
MAC address 000f.23bf.7700, MTU 1500
IP address 213.210.211.2, subnet mask 255.255.255.224
What could be the possible reason for this?
01-13-2006 04:57 AM
Hello,
the reasons could be duplicate IPs,
MAC address block 00055f is registered to Cisco Systems and 000f28 is registered to
00-0F-28 (hex) Itronix Corporation
South 801 Stevens Street
Spokane WA 99204
UNITED STATES
So which device is in the network possibly manufactured by Itronix?
Hope this helps! Please rate all posts
Martin
01-14-2006 08:33 AM
Hi Martin,
I found the devices with those MAC.
000f.28a8.7740 is a cisco 2950 Switch with management IP 192.168.121.2
and 0005.5f7b.d806 is also a cisco switch with IP 212.71.34.53
These two devices are connected to the FWSM.The Interface IP and MAC for the FWSM are 213.210.211.2/000f.23bf.7700
All are connected on the same VLAN.
Am i getting this message because three diferent IP subnets are connected on the same L2 VLAN?
ashish
01-14-2006 09:16 AM
Hello ashish,
the exact meaning of the message can be found at
You wrote three subnets are on the same VLAN. What is the default gateway? I am thinking about proxy arp - could that be the reason for the observed behaviour?
Hope this helps! Please rate all posts.
Regards, Martin
01-15-2006 05:55 AM
Hi Martin,
Thanks a lot.The problem is solved.I am not getting the messages after I matched the subnet mask of FWSM interface 213.210.211.2/25 with that of ROU-01 213.210.211.1/25(Find attached the diagram)
It looks like the Proxy ARP issue.But wandering why I was getting IP collision kind of messages insted of MAC collision(as in Proxy ARP scenarios)
Thanks Again
Ashish
01-15-2006 07:18 AM
Hello,
you did not get an IP collision, but an ARP collision, i.e. two devices were answering an ARP request to resolve 213.210.211.2 - one was the FWSW, because it has the IP and the others were "routers" answering through proxy ARP.
The ARP request basically got answered by all of them because the destination MAC is FF.FF.FF.FF.FF.FF and therefore read by all hosts on the same VLAN.
In your setup none of the "routers" could know that they all are on the same VLAN, therefore the proxy arp kicked in and the FWSW seeing all the ARP replies was giving the message above.
The security background is, that there is software out to become man-in-the-middle by answering the ARP request for the default gateway by the Hacker PC and therefore attrackting all traffic in the LAN. The software is smart enough to even forward the traffic to the default gateway after that, so users might not be suspicious because they finally get connectivity.
The FWSW is just warning you, that this might be the case.
Hope this helps! Please rate all posts.
Regards, Martin
01-18-2006 12:36 PM
Why FWSM show the same MAC address(000e.8465.4a80) on all interfaces?
Interface vlan10 "management", is up, line protocol is up
MAC address 000e.8465.4a80, MTU 1500
IP address 192.168.97.137, subnet mask 255.255.255.224
Interface Vlan20 "failover", is up, line protocol is up
MAC address 000e.8465.4a80, MTU 1500
IP address 10.10.10.1, subnet mask 255.255.255.252
Interface vlan30 "outside", is up, line protocol is up
MAC address 000e.8465.4a80, MTU 1500
IP address 192.168.94.68, subnet mask 255.255.255.224
Interface vlan40 "dmz", is up, line protocol is up
MAC address 000e.8465.4a80, MTU 1500
IP address 192.168.65.254, subnet mask 255.255.255.192
Interface vlan100 "inside", is up, line protocol is up
MAC address 000e.8465.4a80, MTU 1500
IP address 10.1.1.1, subnet mask 255.255.255.224
01-18-2006 01:02 PM
Hello,
this is normal according to the "Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2" in the section "Failover Overview" at
"The FWSM has one MAC address for all interfaces."
I guess this makes failover more simple and faster to achieve.
Hope this helps! Please rate all posts.
Regards, Martin
01-19-2006 07:22 AM
thanks for the reply.
my situation is simaler to the page 15-6 in the above link: FWSM failure only. It didn't failover to the stanby unit.
The difference is in my production there's 2 outside switches cat3550 between the 6500s and the border routers. Currently, the 2 external switches(cat3550) are pramary/2nd root bridges for the outside vlan200.
So the FWSM outside interfaces' vlan 200 are both in forwarding mode to the outside switches. And they are in blocking mode on the trunk for vlan200 on the standby fwsm.
when we reboot the active FWSM, the standby unit didn't take over.
I can bi-directionally ping all interfaces to/from both FWSMs except the outside vlan200.
So my question is the FWSM interface vlan 200 is supposed to cross the trunk? or it can be over the external switches?
01-18-2006 01:13 PM
This should not be a problem when the mac-address is used on different broadcast domains (which vlan interfaces represent).
Why? Maybe to save some addresses, Cisco doesn't know how many vlan's your about to implement and cannot reserve numerous mac addresses for these purposes.
Erik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide