RE: PIX answering ARP for other IPs on segment

From: Lupi, Guy (Guy.Lupi@eurekanetworks.net)
Date: Thu May 15 2003 - 10:20:40 GMT-3

• Next message: yuki hisano: "PPP or HDLC"
• Previous message: Roberts, Larry: "RE: PIX answering ARP for other IPs on segment"
• Maybe in reply to: Roberts, Larry: "RE: PIX answering ARP for other IPs on segment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I don't know much about the PIX, but it sounds like some sort of proxy arp
issue. As long as the arp is answered by the Aventail first there is no
problem, but if not it sounds like the PIX is answering for it, and all
traffic that is supposed to go to the Aventail is going to the PIX. Not
sure if this is your issue, but it is worth looking into. There appear to
be some bug reports relating to proxy arp on the pix on cisco.com.

-----Original Message-----
From: Phil Virnoche [mailto:p.virnoche@verizon.net]
Sent: Thursday, May 15, 2003 7:05 AM
To: ccielab@groupstudy.com
Subject: OT: PIX answering ARP for other IPs on segment

(An " ATTA-BOY " award to anyone that can solve this one !!! )
 
Good morning all-
 
I have a real head scratcher that I can't find anything documented on.
Here is my setup:
 
INTERNET --------- Border Router (10.10.10.1) ---------- Switch
--------------- ( 10.10.10.2) Pair of PIX 520's in failover -( 6.2.2 OS
)
 
Off of the switch I have an Aventail VPN server with an IP of 10.10.10.5
, and the default gateway set to 10.10.10.1
 
Now here is the problem: I could not establish a session with the
Aventail from the outside so I set up a SPAN port on the switch and
sniffed the INGRESS port from the Border Router. I saw the traffic
coming in. Next I sniffed the EGRESS port from the switch to the
Aventail and saw traffic coming in, AND the Aventail answering !!! But
where in the "H" "E" double tooth picks was it going???? After a few
choice swear words and another hour of troubleshooting I discovered that
the ARP cache on the Aventail had an entry pointing the 10.10.10.1 to
the MAC of the PIX !!!!! I immediately cleared the ARPS on the PIX and
the Router and Aventail. Initiated a continuous ping from the Aventail
to the 10.10.10.1. WAH-LA , I could now establish my VPN connection !
As long as I leave the continuous PING running on the Aventail,
everything works, but if I don't, the ARP cache times out and the PIX
once again answers the ARP for the 10.10.10.1
 
Anyone ever experienced this ODD behavior before? How did you fix it?
ANY info would be greatly appreciated !!
 
Regards-
Phil

• Next message: yuki hisano: "PPP or HDLC"
• Previous message: Roberts, Larry: "RE: PIX answering ARP for other IPs on segment"
• Maybe in reply to: Roberts, Larry: "RE: PIX answering ARP for other IPs on segment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:43 GMT-3