Re: Strange fake0 interfaces and arp problem.

Victor Eduardo Cossio Quispe · ‎12-05-2012

Hello.

I have discovered another problem with CAS server.

CAS IP = 192.168.9.9/23

CAS GW = 192.168.8.1

CAS DNS = 192.168.8.2

I can ping my Gateway, google IP ( 74.125.229.201 ) and all others hosts that are not on the same subnet. I can ping from any other host to my CAS too. The issue here is that I can't ping from CAS to any host inside local subnet 192.168.8.0/23. I have found that the problem is related with ARP on CAS. Look at this:

[root@nacserver ~]# arp -a

? (192.168.8.2) at 00:01:02:03:04:05 [ether] on fake0

? (192.168.9.98) at 00:01:02:03:04:05 [ether] on fake0

? (192.168.9.95) at 00:01:02:03:04:05 [ether] on fake0

? (192.168.8.1) at 00:01:02:03:04:05 [ether] on fake0

this above output is showed very slowly line by line. Here the ifconfig output.

[root@nacserver ~]#

[root@nacserver ~]# ifconfig

eth0 Link encap:Ethernet HWaddr 5C:F3:FC:25:D4:61

inet addr:192.168.9.9 Bcast:192.168.9.255 Mask:255.255.254.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:98821 errors:0 dropped:0 overruns:0 frame:0

TX packets:42539 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:13491186 (12.8 MiB) TX bytes:5588195 (5.3 MiB)

Interrupt:169

eth1 Link encap:Ethernet HWaddr 5C:F3:FC:25:D4:62

inet addr:192.168.200.9 Bcast:192.168.201.255 Mask:255.255.254.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:739 errors:0 dropped:0 overruns:0 frame:0

TX packets:39857 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:47296 (46.1 KiB) TX bytes:4152502 (3.9 MiB)

Interrupt:225

fake0 Link encap:Ethernet HWaddr 00:01:02:03:04:05

inet addr:192.168.9.9 Bcast:255.255.255.255 Mask:0.0.0.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:41171 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 b) TX bytes:5098562 (4.8 MiB)

fake1 Link encap:Ethernet HWaddr 00:01:02:03:04:05

inet addr:192.168.200.9 Bcast:192.168.201.255 Mask:255.255.254.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

fake2 Link encap:Ethernet HWaddr 00:01:02:03:04:05

inet addr:192.168.200.9 Bcast:255.255.255.255 Mask:0.0.0.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

fake4 Link encap:Ethernet HWaddr 00:01:02:03:04:05

inet addr:192.168.9.9 Bcast:255.255.255.255 Mask:0.0.0.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:1488 errors:0 dropped:0 overruns:0 frame:0

TX packets:1488 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:922688 (901.0 KiB) TX bytes:922688 (901.0 KiB)

As you can see there are many fake interfaces which take the same IP from trusted (Eth0) and untrusted (Eth1) interfaces. I have no idea why even they exist. Please give me some advice to fix it.

Greettings.

jw.sl9 · ‎12-05-2012

By default, your CAS/NAS will send ALL packets for local subnets out the UNTRUSTED interface. where your clients should be.

If you want to override this you can configure static routes in the GUI. If you are doing this, I'd suggest /32 for only the specific devices you need access to.

For more see:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_addSrvr.html#wp1084954

The fake# interfaces are created internally (Linix Core :-) for traffic and VLAN "subinterfaces". They are okay.

I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.
-James

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

Victor Eduardo Cossio Quispe · ‎12-05-2012

but I still dont understand why cant ping from CAS, due to this I cannot resolve any dns too because dns server is on its local subnet.

jw.sl9 · ‎12-05-2012

Are the devices you want to ping on the trusted or untrusted side of the CAS?

If the DNS server is on the same subnet as the CAS, (trusted side I hope) create a /32 route to it. Select the interface but leave the gateway blank.

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.
-James

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

Victor Eduardo Cossio Quispe · ‎12-06-2012

All hosts are on trusted interface including WLC, Wireless clients,DNS Server, DHCP Server and GW.

I added the /32 route and now i can ping DNS (192.168.8.2) but i still can't another host on the same subnet. Should I add the whole subnet route too? Will it affect the future AD SSO implementation?

Thanks in advance.

Tarik Admani · ‎12-08-2012

When configuring CAS in a virtual gateway you should not place the CAS on the same broadcast domain with your trusted resources including the manager. The only workaround is to add /32 routes, this is also seen in environments with hsrp since customer like to ping their CAS from time to time, and the icmp messages are not sourced from the virtual interface but from the physical svi interface of the active router.

This is documented and therefore you are experiencing something known.

Thanks,

Sent from Cisco Technical Support iPad App