Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1968
Views
0
Helpful
4
Replies

FWSM proxy arp problem

Neil Preston
Level 1
Level 1

‎03-02-2005 12:35 AM - edited ‎03-09-2019 10:29 AM

We have a DMZ design with a cisco FWSM being the internal firewall and a cisco PIX 515E the outside firewall. Some hosts running solaris version 8 located on the DMZ are unable to ping each other intermittently, investigation has proved that the internal FWSM module is populating the solaris hosts arp table pretending to be the destination MAC address for hosts residing on the same subnet. The FWSM has even be seen to pretend to be the outside PIX firewall which is the gateway for hosts resding on this DMZ. The hosts IP configuration is correct and the problem has been resolved by disabling proxy arp on the FWSM interface, is this a known issue with the cisco FWSM devices or can anyone explain why this is happenning ?

Labels:
0 Helpful
4 Replies 4

umedryk
Level 5
Level 5

‎03-07-2005 01:39 PM

As far as I know, this is not an issue, it is designed that way

0 Helpful

Neil Preston
Level 1
Level 1
In response to umedryk

‎03-08-2005 10:43 AM

Thanks for the response but I don't think Cisco would design a Firewall that pretends to be the destination device for hosts trying to communicate on the same LAN. This would prevent all hosts on the same subnet from talking to each other.

0 Helpful

jack.birdsall
Level 1
Level 1
In response to Neil Preston

‎03-08-2005 12:05 PM

have you considered the proxy arp config of the fwsm?

in other words, the statics, globals, nat 0 statements applicable to the interface in question?

the pix/fwsm will respond to arp requests(proxy arp) based on the above configuration elements. i'd start there. when you disabled proxy arp via sysopt noproxyarp this solved your problem, correct?

0 Helpful

Neil Preston
Level 1
Level 1
In response to jack.birdsall

‎03-14-2005 02:16 AM

We thought disabling proxy arp had resolved the issue, but the problem then happened again a few days later. I did find a bug relevant to my version of code which indicates that disabling proxy arp doesn't work, CSCee40501. We have since discovered that this problem only seems to occur on solaris hosts using IPMP configuration, we have removed the IPMP config from the host and are monitoring to see if this resolves the issue, thus far we have not seen symtoms of the fault for 2 days.

0 Helpful
Customers Also Viewed These Support Documents