Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX525 problem

hi,

we've been experiencing pix hangup wherein we cannot ping its same subnet ip's and gateway. after rebooting, the condition seems to normalize.

does it have something to do with this logs?

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside

405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside

11 REPLIES

Re: PIX525 problem

Looks like you have 2 devcies configured with either the same IP address or the same mac address.

Investigate the config of your equipment and any other 3rd party kit.

HTH>

Bronze

Re: PIX525 problem

hi sir,

does this contribute on me not being able to access the failover pix?

Thanks.

Re: PIX525 problem

It will have some impact on this - if you have mis-configured your failover incorrectly, yes.

New Member

Re: PIX525 problem

how about the possibility of having some form of attack? i.e. arp poisoning, dos?

Re: PIX525 problem

Well that could be a cause - but I would have thought that the device would have been setup/configured correctly with:-

"ip verify reverse-path interface outside"

&

"sysopt noproxyarp outside"

New Member

Re: PIX525 problem

yes sir it is configured with "ip verify reverse-path interface outside" but there is no "sysopt noproxyarp outside". is this command supported for ver 6.3

Re: PIX525 problem

I know it is available in 6.3(4) - what ver are you running?

New Member

Re: PIX525 problem

im using 6.3(5). just want to clarify, what does this syntax do?

Re: PIX525 problem

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request and asks "Who is this IP address?". The device that owns the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host.

New Member

Re: PIX525 problem

would this have an impact on the network when you disable proxy arp?i.e. nat

Re: PIX525 problem

Yes it will - it will directly impact any "Static" nat configuration you have.

As the outside interface has a specific IP address in a range - if you have a static NAT in that range for an internal host, the pix HAS to answer for it, even though it's IP is differnet, the next host layer 2 deivce will have multiple arp entries containing the outside interface MAC address.

191
Views
0
Helpful
11
Replies
CreatePlease login to create content