Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ARP Poisoning?

Reply
Thread Tools

ARP Poisoning?

 
 
Steven B
Guest
Posts: n/a
 
      07-11-2007
OK, I have a very strange problem that I will attempt to outline.
Here is the situation:

I have a DHCP server that exist on about 10 inside VLANs. It is
trunked into all VLANs that it services with different scopes assigned
for each VLAN.

What is happening is everyday a few users (there is no pattern) will
complain of not being able to get to internet or email. They can ping
everything on their VLAN and even things on other internal VLANs. The
problem is getting across the ASA (it is a 5540). The Exchange server
sits in the DMZ and obviously the internet is on the outside.

To fix this I was originally finding out what address was assigned to
the node, excluding it from the scope, and having the node pull a new
address. This worked but I do not want to have to keep doing this. I
then began thinking that this was an ARP problem and I have twice so
far gone in and done a "clear arp" on the ASA when I have users with
this problem and this fixes the problem too...

Any ideas on this one?

 
Reply With Quote
 
 
 
 
J.Cottingim
Guest
Posts: n/a
 
      07-11-2007
> I then began thinking that this was an ARP problem and I have twice so
> far gone in and done a "clear arp" on the ASA when I have users with
> this problem and this fixes the problem too...
>


When you are experiencing the problem, before clearing the ARP cache
on the ASA, check to see the ARP entry for the client machine (the one
with the problem) matches the actual MAC.
If it matches, check the ARP entry for the next-hop router.
If that matches as well, you are not looking at an ARP poisoning
problem.
If they do not match, track down the offending MAC on the switched
network.

Also, do all of your VLANs use the ASA as a default gateway, or do you
have a router there. - It would help to know the topology of the
network in question.

Thanks
JC

 
Reply With Quote
 
 
 
 
Steven B
Guest
Posts: n/a
 
      07-16-2007
On Jul 11, 12:50 pm, "J.Cottingim" <(E-Mail Removed)> wrote:
> > I then began thinking that this was an ARP problem and I have twice so
> > far gone in and done a "clear arp" on the ASA when I have users with
> > this problem and this fixes the problem too...

>
> When you are experiencing the problem, before clearing the ARP cache
> on the ASA, check to see the ARP entry for the client machine (the one
> with the problem) matches the actual MAC.
> If it matches, check the ARP entry for the next-hop router.
> If that matches as well, you are not looking at an ARP poisoning
> problem.
> If they do not match, track down the offending MAC on the switched
> network.
>
> Also, do all of your VLANs use the ASA as a default gateway, or do you
> have a router there. - It would help to know the topology of the
> network in question.
>
> Thanks
> JC


No, none of the VLAN use the ASA as the default gateway. They all use
a 4006 which has different IP addresses assigned to the different
VLANs. I will take a look at the ARP entry's the next time this
happens (most likely tomorrow) and see what is up...

 
Reply With Quote
 
Arthur Brain
Guest
Posts: n/a
 
      07-16-2007

Steven B wrote:
> On Jul 11, 12:50 pm, "J.Cottingim" <(E-Mail Removed)> wrote:
> > > I then began thinking that this was an ARP problem and I have twice so
> > > far gone in and done a "clear arp" on the ASA when I have users with
> > > this problem and this fixes the problem too...

> >
> > When you are experiencing the problem, before clearing the ARP cache
> > on the ASA, check to see the ARP entry for the client machine (the one
> > with the problem) matches the actual MAC.
> > If it matches, check the ARP entry for the next-hop router.
> > If that matches as well, you are not looking at an ARP poisoning
> > problem.
> > If they do not match, track down the offending MAC on the switched
> > network.
> >
> > Also, do all of your VLANs use the ASA as a default gateway, or do you
> > have a router there. - It would help to know the topology of the
> > network in question.
> >
> > Thanks
> > JC

>
> No, none of the VLAN use the ASA as the default gateway. They all use
> a 4006 which has different IP addresses assigned to the different
> VLANs. I will take a look at the ARP entry's the next time this
> happens (most likely tomorrow) and see what is up...


On the non-working clients, do the acquired DHCP details match the
details from the scope on the DHCP server? especially subnet mask?

Just wondering if you have a second DHCP service somewhere handing out
its own DHCP scopes.

 
Reply With Quote
 
Arthur Brain
Guest
Posts: n/a
 
      07-16-2007

Steven B wrote:
> On Jul 11, 12:50 pm, "J.Cottingim" <(E-Mail Removed)> wrote:
> > > I then began thinking that this was an ARP problem and I have twice so
> > > far gone in and done a "clear arp" on the ASA when I have users with
> > > this problem and this fixes the problem too...

> >
> > When you are experiencing the problem, before clearing the ARP cache
> > on the ASA, check to see the ARP entry for the client machine (the one
> > with the problem) matches the actual MAC.
> > If it matches, check the ARP entry for the next-hop router.
> > If that matches as well, you are not looking at an ARP poisoning
> > problem.
> > If they do not match, track down the offending MAC on the switched
> > network.
> >
> > Also, do all of your VLANs use the ASA as a default gateway, or do you
> > have a router there. - It would help to know the topology of the
> > network in question.
> >
> > Thanks
> > JC

>
> No, none of the VLAN use the ASA as the default gateway. They all use
> a 4006 which has different IP addresses assigned to the different
> VLANs. I will take a look at the ARP entry's the next time this
> happens (most likely tomorrow) and see what is up...


On the non-working clients, do the acquired DHCP details match the
details from the scope on the DHCP server? especially subnet mask?

Just wondering if you have a second DHCP service somewhere handing out
its own DHCP scopes.

 
Reply With Quote
 
Steven B
Guest
Posts: n/a
 
      07-16-2007
On Jul 15, 10:03 pm, Arthur Brain <(E-Mail Removed)> wrote:
> Steven B wrote:
> > On Jul 11, 12:50 pm, "J.Cottingim" <(E-Mail Removed)> wrote:
> > > > I then began thinking that this was an ARP problem and I have twice so
> > > > far gone in and done a "clear arp" on the ASA when I have users with
> > > > this problem and this fixes the problem too...

>
> > > When you are experiencing the problem, before clearing the ARP cache
> > > on the ASA, check to see the ARP entry for the client machine (the one
> > > with the problem) matches the actual MAC.
> > > If it matches, check the ARP entry for the next-hop router.
> > > If that matches as well, you are not looking at an ARP poisoning
> > > problem.
> > > If they do not match, track down the offending MAC on the switched
> > > network.

>
> > > Also, do all of your VLANs use the ASA as a default gateway, or do you
> > > have a router there. - It would help to know the topology of the
> > > network in question.

>
> > > Thanks
> > > JC

>
> > No, none of the VLAN use the ASA as the default gateway. They all use
> > a 4006 which has different IP addresses assigned to the different
> > VLANs. I will take a look at the ARP entry's the next time this
> > happens (most likely tomorrow) and see what is up...

>
> On the non-working clients, do the acquired DHCP details match the
> details from the scope on the DHCP server? especially subnet mask?
>
> Just wondering if you have a second DHCP service somewhere handing out
> its own DHCP scopes.- Hide quoted text -
>
> - Show quoted text -


No, the only DHCP server is the one trunked into all of the VLANs.
When I do an ipconf/release ipconfig/renew it pulls the same address
(which is not unusual) with all the correct information. If I exclude
the address from the scope and have the machine pull a new one it does
and this generally fixes the problem...

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Arp or Proxy Arp Darren Green Cisco 0 02-20-2009 09:38 PM
static arp with wireless Anonymous via the Cypherpunks Tonga Remailer Wireless Networking 0 10-04-2005 05:13 AM
arp cache =?Utf-8?B?Y2IzOTk0MA==?= Wireless Networking 3 06-26-2005 01:22 AM
Loss of DNS/ARP responses from Linksys WAG54G nospam Wireless Networking 6 02-15-2005 05:30 PM



Advertisments