I was aware of the noproxyarp command (thought of it but never actually tried it while t-shooting) but it didnt seem like that would be the problem.

Host is on the inside, IP of .162 pinging inside interface of firewall .161

Process would be ARP request from .162 asking who has .161, response from .161. Then the ICMP Echo request is sent, arrives at the firewall.

Firewall sends out an arp request "who has .162?" Which is where proxyarping would come into play if anywhere since .162 is a host behind the firewall with a static built in the firewall (static (inside, outside) x.x.x.x x.x.x.x netmask 255.255.255.255). So if proxyarping was the problem it would now allegedly use proxy arp to respond to its own ARP request (which doesnt sound plausible to begin with) in which case the problem would be that the src and dst macs would both be those of the firewall. That is not the case, the source and destination MACs are both those of the server....how could proxy arping change what the firewall uses as its own source mac in its replies?

sh arp in the firewall shows the server's IP associated with its correct mac

also, if proxyarp was the problem wouldnt it affect the packets similarly when the pix pinged the server? This problem does not exist when the pix pings the server, only when the server pings the pix (see logs above).

Can you explain how proxy arp is causing this?

bump?

Sorry, the PING is what is not working (and all other connectivity to "THOR" through the firewall.

I misspoke when I said "ARP", I was trying to express that the problem with ICMP appears to be a layer 2 problem since the fw is responding with the destination mac as the src and dst mac in the packet.

18:07:47.322065 0800.20c5.93f6 0800.20c5.93f6 0x0800 98: 12.12.3.161 > THOR: icmp: echo reply (ttl 255, id 10920)

18:07:48.322325 0800.20c5.93f6 0003.e300.2851 0x0800 98: THOR > 12.12.3.161: icmp: echo request (ttl 255, id 25094)

18:07:48.322371 0800.20c5.93f6 0800.20c5.93f6 0x0800 98: 12.12.3.161 > THOR: icmp: echo reply (ttl 255, id 10921)

In above Notice SRC MAC: 0800.20c5.93f6 and DST MAC 0800.20c5.93f6

18:07:49.322676 0800.20c5.93f6 0003.e300.2851 0x0800 98: THOR > 12.12.3.161: icmp: echo request (ttl 255, id 25095)

In above notice SRC MAC: 0800.20c5.93f6 abd DST MAC 0003.e300.2851.

how can a packet have the same src and dst mac address? If nothing else wouldnt that cause problems with the switch's cam table since it would see the incoming packet and say "oh my, that host is now on this interface (referring the the FW interface the ICMP reply just came in from)"

any other ideas?

shouldnt the pix be incapable of generating these packets? What is a circumstance where it would be ok to have a packet with the same SRC and DST mac? How can it even generate this traffic?

Ok, now I got the problem.

This is really a puzzle.

I agree that those packets should not occur. Are you sure that these are the packets really sent? Could be an error in the debug output.

Can you check the CAM table in the switch? It should then show the server MAC at the PIX port, because the switch would learn it by the src MAC sent in the PIX reply. This would also explain why the ICMP reply doesn´t reach the server - the switch would not forward it to the server port.

But assuming the debug output shows what really happens, what I would do:

a) famous reload of PIX... (means being clueless, but optimistic)

b) IOS upgrade ... (standard TAC answer)

c) open a TAC case, because this is definately a software bug.

Hope this helps

Martin

Reloaded it numerous times, did a write erase and reconfigured it also.

IOS upgrade is being tried as we speak (I think he was going to try that yesterday but it was already at 6.3(4) so im not sure what we will be able to gain)

has anyone else ever run into this?

bump

pix os upgrade to 6.3(5) didnt fix it either....this is officially unsolved.