Re: PIX answering ARP for other IPs on segment

From: Serguei Bezverkhi (Serguei.Bezverkhi@hp.com)
Date: Thu May 15 2003 - 10:26:02 GMT-3

• Next message: Eric Hoffman: "RE: Multicast issue"
• Previous message: Michael Snyder: "RE: 2950 for the 2nd switch? 2950=3550 lite (less filling,"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Verify that you have excluded 10.10.10.1 from the global (outside) on the
PIX. PIX answers ARPs for all IP addresses defined in global and static.

HTH

Serguei
----- Original Message -----
From: "Phil Virnoche" <p.virnoche@verizon.net>
To: <ccielab@groupstudy.com>
Sent: Thursday, May 15, 2003 8:04 AM
Subject: OT: PIX answering ARP for other IPs on segment

> (An " ATTA-BOY " award to anyone that can solve this one !!! )
>
> Good morning all-
>
> I have a real head scratcher that I can't find anything documented on.
> Here is my setup:
>
> INTERNET --------- Border Router (10.10.10.1) ---------- Switch
> --------------- ( 10.10.10.2) Pair of PIX 520's in failover -( 6.2.2 OS
> )
>
> Off of the switch I have an Aventail VPN server with an IP of 10.10.10.5
> , and the default gateway set to 10.10.10.1
>
> Now here is the problem: I could not establish a session with the
> Aventail from the outside so I set up a SPAN port on the switch and
> sniffed the INGRESS port from the Border Router. I saw the traffic
> coming in. Next I sniffed the EGRESS port from the switch to the
> Aventail and saw traffic coming in, AND the Aventail answering !!! But
> where in the "H" "E" double tooth picks was it going???? After a few
> choice swear words and another hour of troubleshooting I discovered that
> the ARP cache on the Aventail had an entry pointing the 10.10.10.1 to
> the MAC of the PIX !!!!! I immediately cleared the ARPS on the PIX and
> the Router and Aventail. Initiated a continuous ping from the Aventail
> to the 10.10.10.1. WAH-LA , I could now establish my VPN connection !
> As long as I leave the continuous PING running on the Aventail,
> everything works, but if I don't, the ARP cache times out and the PIX
> once again answers the ARP for the 10.10.10.1
>
> Anyone ever experienced this ODD behavior before? How did you fix it?
> ANY info would be greatly appreciated !!
>
> Regards-
> Phil

• Next message: Eric Hoffman: "RE: Multicast issue"
• Previous message: Michael Snyder: "RE: 2950 for the 2nd switch? 2950=3550 lite (less filling,"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:43 GMT-3