cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
792
Views
0
Helpful
1
Replies
vantonenko
Beginner

FWSM false ARP reply

Hello,

I have a weird issue with some server LANs that terminated on FWSM.

In this LANs used static IP-addressing.

All of the servers are VMWare VMs. 

And after reboot or restarting network interfaces on these VMs, (Windows and Linux) OS reports "Duplicate IP address".

We used wireshark on VM and noticed that:

During network interface initialization, VM send ARP-request for its own IP-address, for checking IP duplication in LAN.

And FWSM (Gateway) replies on this request that this IP address is on FWSM, but this is false. It uses different IP-address.

Also weird thing that Frame Check Sequence filed in reply frame equals 0x00000000.

VM receives ARP reply and concludes that there is an IP-duplication in LAN and stops network operation.

[[{"type":"media","fid":"1319401","view_mode":"default","link_text":null,"attributes":{"alt":"false arp reply","title":"false arp reply","height":"35","width":"1556","class":"image-style-none media-element file-default"}}]]

I don't know and could not find any information about mechanisms that made FWSM to do ARP-reply this way.

1 REPLY 1
Sandeep Singh
Rising star

Hi vantonenko

It is common for security appliances (like FWSM) which are doing IP proxy to reply to IP address query; however this is supposed to be for outside network and not for the same subnet. Check the config on your FWSM.

Create
Recognize Your Peers
Content for Community-Ad