From: p.virnoche@verizon.net
Date: Thu May 15 2003 - 11:25:35 GMT-3
DING-DING-DING .... WE HAVE A WINNER !!!!
ATTA-BOY-EEEEE !!!!!
Thanks much, now I can leave to Maui (for 10 days) without this on my mind !!!!
Phil
>
> From: "Roberts, Larry" <Larry.Roberts@expanets.com>
> Date: 2003/05/15 Thu AM 06:22:38 PDT
> To: "'Phil Virnoche'" <p.virnoche@verizon.net>, ccielab@groupstudy.com
> Subject: RE: PIX answering ARP for other IPs on segment
>
> I would check your global statement to be sure that the .1 is not in the
> range.
> I would also check through all your static's to make sure that you don't
> have a static set to .1
>
>
> Thanks
>
> Larry
>
> -----Original Message-----
> From: Phil Virnoche [mailto:p.virnoche@verizon.net]
> Sent: Thursday, May 15, 2003 7:05 AM
> To: ccielab@groupstudy.com
> Subject: OT: PIX answering ARP for other IPs on segment
>
>
> (An " ATTA-BOY " award to anyone that can solve this one !!! )
>
> Good morning all-
>
> I have a real head scratcher that I can't find anything documented on. Here
> is my setup:
>
> INTERNET --------- Border Router (10.10.10.1) ---------- Switch
> --------------- ( 10.10.10.2) Pair of PIX 520's in failover -( 6.2.2 OS
> )
>
> Off of the switch I have an Aventail VPN server with an IP of 10.10.10.5 ,
> and the default gateway set to 10.10.10.1
>
> Now here is the problem: I could not establish a session with the Aventail
> from the outside so I set up a SPAN port on the switch and sniffed the
> INGRESS port from the Border Router. I saw the traffic coming in. Next I
> sniffed the EGRESS port from the switch to the Aventail and saw traffic
> coming in, AND the Aventail answering !!! But where in the "H" "E" double
> tooth picks was it going???? After a few choice swear words and another hour
> of troubleshooting I discovered that the ARP cache on the Aventail had an
> entry pointing the 10.10.10.1 to the MAC of the PIX !!!!! I immediately
> cleared the ARPS on the PIX and the Router and Aventail. Initiated a
> continuous ping from the Aventail to the 10.10.10.1. WAH-LA , I could now
> establish my VPN connection ! As long as I leave the continuous PING running
> on the Aventail, everything works, but if I don't, the ARP cache times out
> and the PIX once again answers the ARP for the 10.10.10.1
>
> Anyone ever experienced this ODD behavior before? How did you fix it? ANY
> info would be greatly appreciated !!
>
> Regards-
> Phil
>
Philip G. Virnoche - CCDP CCNP
(C) 425.753.6007
(H) 425.828.9079
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:43 GMT-3