09-03-2009 07:42 PM - edited 03-09-2019 10:33 PM
hi,
we've been experiencing pix hangup wherein we cannot ping its same subnet ip's and gateway. after rebooting, the condition seems to normalize.
does it have something to do with this logs?
405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside
405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside
405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside
405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside
405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside
405001: Received ARP response collision from "ip add"/"mac add 1" on interface outside
405001: Received ARP response collision from "ip add"/"mac add 2" on interface outside
09-04-2009 12:13 AM
Looks like you have 2 devcies configured with either the same IP address or the same mac address.
Investigate the config of your equipment and any other 3rd party kit.
HTH>
09-04-2009 12:18 AM
hi sir,
does this contribute on me not being able to access the failover pix?
Thanks.
09-04-2009 12:21 AM
It will have some impact on this - if you have mis-configured your failover incorrectly, yes.
09-04-2009 01:20 AM
how about the possibility of having some form of attack? i.e. arp poisoning, dos?
09-04-2009 01:44 AM
Well that could be a cause - but I would have thought that the device would have been setup/configured correctly with:-
"ip verify reverse-path interface outside"
&
"sysopt noproxyarp outside"
09-04-2009 01:56 AM
yes sir it is configured with "ip verify reverse-path interface outside" but there is no "sysopt noproxyarp outside". is this command supported for ver 6.3
09-04-2009 02:06 AM
I know it is available in 6.3(4) - what ver are you running?
09-04-2009 02:13 AM
im using 6.3(5). just want to clarify, what does this syntax do?
09-04-2009 02:21 AM
When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request and asks "Who is this IP address?". The device that owns the IP address replies, "I own that IP address; here is my MAC address."
Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host.
09-04-2009 02:30 AM
would this have an impact on the network when you disable proxy arp?i.e. nat
09-04-2009 03:05 AM
Yes it will - it will directly impact any "Static" nat configuration you have.
As the outside interface has a specific IP address in a range - if you have a static NAT in that range for an internal host, the pix HAS to answer for it, even though it's IP is differnet, the next host layer 2 deivce will have multiple arp entries containing the outside interface MAC address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide