Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
5
Helpful
3
Replies

VPN 3000 to PIX - IP Conflict messages - IP Pool depletion

dave.cooper
Level 1
Level 1

‎11-27-2002 04:30 AM - edited ‎02-21-2020 12:12 PM

The scenario looks like this:

VPN-Client

|

|

Internet

|

|

Cisco VPN 3000 Concentrator Version 3.6.5

|

|

PIX 415 firewall

I have setup an IP pool on the VPN Concentrator and allocated it to a Group. All works well if the Pix is disconnected and a IPsec tunnel succeeds. As soon as the Pix is reconnected the available IP's in the pool are depleted (Sequential "IP Conflict" message for each pool address in VPN 3000 syslog) and reconnection fails. Take the PIX out and all is well again! There are no other hosts on the private VPN back LAN. Replace the PIX with a host laptop and all work well.

Help appreciated.

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎11-27-2002 04:04 PM

Sounds weird. Do you have any static's in the PIX for the 3000 IP pool range? If so, the PIX is probably proxy arp'ing for them, but I didn't actually think the 3000 checked to see if something else had that address before allocating one to a client, but maybe it does.

On the PIX try turning off proxy-ARP'ing and see if that resolves it.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#xtocid25

dave.cooper
Level 1
Level 1
In response to gfullage

‎11-28-2002 12:38 AM

There are no static's in the PIX for the 3000 IP pool range. I also suspected proxy arp but from the VPN 3000. I get can ping the interface of the pix but get no response for a pool address. I guess this indicates the Pix is not proxy arping. I await a sniffer trace today to see what's going twix VPN 3000 and Pix!

Thanks

0 Helpful

dave.cooper
Level 1
Level 1
In response to dave.cooper

‎11-28-2002 02:31 AM

Seems proxy arp was the problem! On by default on the Pix - has been disabled with

#sysopt noproxyarp

Assuming the VPN 3000 does arp out before assigning address from IP pool. FYI - In this case the VPN 3000 interface address is within the IP pool range subnet.

All works well now - help appreciated!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents