Packet loss with local-proxy-arp enabled
Hi all
I want to expose you an issue i found using local-proxy-arp in a vpn remote access.
The difference between local proxy-arp and local-proxy-arp is that using normal proxy arp the router sets his mac-address to a REMOTE network IP address, while in local-proxy-arp the router sets its own mac-address to an IP address in his same subnet.
In my case i configured a router cisco 1720 as remote-access-vpn-server in the subnet 192.168.0.0/24, where the default gateway of this network is the 192.168.0.254.
The ra pool couldn't be out of the 192.168.0.0/24 subnet, because clients had configured IP .254 as default gateway and the installation of the vpn-server had to be transparent to normal operations.
If I had configured an external pool, the vpn wouldn't work, because clients would send the traffic to the default gateway and in turn would drop the traffic because he hadn't any route to vpn pool.
Diagnosis
Setting a local remote access pool, clients mad arp requests to find IP addresses in the local network but nobody replied them because the vpn-server didn't know the real mac address of the pool's IP.
On cisco routers proxy arp is enabled by default, but 'local-proxy-arp' isn't.
When i enabled local-proxy-arp in interface config mode, clients in local network begun to reply to my pc connected through vpn.
However i noticed that 50% of icmp packets i sent was not received, precisely a packet was delivered and a packet not, alternately.
This was because the vpn-server didn't know the real mac-addresses of vpn clients, so creates arp request to every packet itself.
Solution
Solution has been to set static mac-addresses in the arp table of the cisco 1720 vpn-server so that he didn't need to produce arp requests to vpn clients connected and there is no more packet loss.
This is the command to set static arp entries:
arp [ip address] [mac-address] ARPA
I disabled even 'ip redirects' on the interface.
Hope this topic can be useful.
Regards,
Jacopo
