ARP Poisoning?

Discussion in 'Cisco' started by Steven B, Jul 11, 2007.

  1. Steven B

    Steven B Guest

    OK, I have a very strange problem that I will attempt to outline.
    Here is the situation:

    I have a DHCP server that exist on about 10 inside VLANs. It is
    trunked into all VLANs that it services with different scopes assigned
    for each VLAN.

    What is happening is everyday a few users (there is no pattern) will
    complain of not being able to get to internet or email. They can ping
    everything on their VLAN and even things on other internal VLANs. The
    problem is getting across the ASA (it is a 5540). The Exchange server
    sits in the DMZ and obviously the internet is on the outside.

    To fix this I was originally finding out what address was assigned to
    the node, excluding it from the scope, and having the node pull a new
    address. This worked but I do not want to have to keep doing this. I
    then began thinking that this was an ARP problem and I have twice so
    far gone in and done a "clear arp" on the ASA when I have users with
    this problem and this fixes the problem too...

    Any ideas on this one?
     
    Steven B, Jul 11, 2007
    #1
    1. Advertising

  2. Steven B

    J.Cottingim Guest

    > I then began thinking that this was an ARP problem and I have twice so
    > far gone in and done a "clear arp" on the ASA when I have users with
    > this problem and this fixes the problem too...
    >


    When you are experiencing the problem, before clearing the ARP cache
    on the ASA, check to see the ARP entry for the client machine (the one
    with the problem) matches the actual MAC.
    If it matches, check the ARP entry for the next-hop router.
    If that matches as well, you are not looking at an ARP poisoning
    problem.
    If they do not match, track down the offending MAC on the switched
    network.

    Also, do all of your VLANs use the ASA as a default gateway, or do you
    have a router there. - It would help to know the topology of the
    network in question.

    Thanks
    JC
     
    J.Cottingim, Jul 11, 2007
    #2
    1. Advertising

  3. Steven B

    Steven B Guest

    On Jul 11, 12:50 pm, "J.Cottingim" <> wrote:
    > > I then began thinking that this was an ARP problem and I have twice so
    > > far gone in and done a "clear arp" on the ASA when I have users with
    > > this problem and this fixes the problem too...

    >
    > When you are experiencing the problem, before clearing the ARP cache
    > on the ASA, check to see the ARP entry for the client machine (the one
    > with the problem) matches the actual MAC.
    > If it matches, check the ARP entry for the next-hop router.
    > If that matches as well, you are not looking at an ARP poisoning
    > problem.
    > If they do not match, track down the offending MAC on the switched
    > network.
    >
    > Also, do all of your VLANs use the ASA as a default gateway, or do you
    > have a router there. - It would help to know the topology of the
    > network in question.
    >
    > Thanks
    > JC


    No, none of the VLAN use the ASA as the default gateway. They all use
    a 4006 which has different IP addresses assigned to the different
    VLANs. I will take a look at the ARP entry's the next time this
    happens (most likely tomorrow) and see what is up...
     
    Steven B, Jul 16, 2007
    #3
  4. Steven B

    Arthur Brain Guest

    Steven B wrote:
    > On Jul 11, 12:50 pm, "J.Cottingim" <> wrote:
    > > > I then began thinking that this was an ARP problem and I have twice so
    > > > far gone in and done a "clear arp" on the ASA when I have users with
    > > > this problem and this fixes the problem too...

    > >
    > > When you are experiencing the problem, before clearing the ARP cache
    > > on the ASA, check to see the ARP entry for the client machine (the one
    > > with the problem) matches the actual MAC.
    > > If it matches, check the ARP entry for the next-hop router.
    > > If that matches as well, you are not looking at an ARP poisoning
    > > problem.
    > > If they do not match, track down the offending MAC on the switched
    > > network.
    > >
    > > Also, do all of your VLANs use the ASA as a default gateway, or do you
    > > have a router there. - It would help to know the topology of the
    > > network in question.
    > >
    > > Thanks
    > > JC

    >
    > No, none of the VLAN use the ASA as the default gateway. They all use
    > a 4006 which has different IP addresses assigned to the different
    > VLANs. I will take a look at the ARP entry's the next time this
    > happens (most likely tomorrow) and see what is up...


    On the non-working clients, do the acquired DHCP details match the
    details from the scope on the DHCP server? especially subnet mask?

    Just wondering if you have a second DHCP service somewhere handing out
    its own DHCP scopes.
     
    Arthur Brain, Jul 16, 2007
    #4
  5. Steven B

    Arthur Brain Guest

    Steven B wrote:
    > On Jul 11, 12:50 pm, "J.Cottingim" <> wrote:
    > > > I then began thinking that this was an ARP problem and I have twice so
    > > > far gone in and done a "clear arp" on the ASA when I have users with
    > > > this problem and this fixes the problem too...

    > >
    > > When you are experiencing the problem, before clearing the ARP cache
    > > on the ASA, check to see the ARP entry for the client machine (the one
    > > with the problem) matches the actual MAC.
    > > If it matches, check the ARP entry for the next-hop router.
    > > If that matches as well, you are not looking at an ARP poisoning
    > > problem.
    > > If they do not match, track down the offending MAC on the switched
    > > network.
    > >
    > > Also, do all of your VLANs use the ASA as a default gateway, or do you
    > > have a router there. - It would help to know the topology of the
    > > network in question.
    > >
    > > Thanks
    > > JC

    >
    > No, none of the VLAN use the ASA as the default gateway. They all use
    > a 4006 which has different IP addresses assigned to the different
    > VLANs. I will take a look at the ARP entry's the next time this
    > happens (most likely tomorrow) and see what is up...


    On the non-working clients, do the acquired DHCP details match the
    details from the scope on the DHCP server? especially subnet mask?

    Just wondering if you have a second DHCP service somewhere handing out
    its own DHCP scopes.
     
    Arthur Brain, Jul 16, 2007
    #5
  6. Steven B

    Steven B Guest

    On Jul 15, 10:03 pm, Arthur Brain <> wrote:
    > Steven B wrote:
    > > On Jul 11, 12:50 pm, "J.Cottingim" <> wrote:
    > > > > I then began thinking that this was an ARP problem and I have twice so
    > > > > far gone in and done a "clear arp" on the ASA when I have users with
    > > > > this problem and this fixes the problem too...

    >
    > > > When you are experiencing the problem, before clearing the ARP cache
    > > > on the ASA, check to see the ARP entry for the client machine (the one
    > > > with the problem) matches the actual MAC.
    > > > If it matches, check the ARP entry for the next-hop router.
    > > > If that matches as well, you are not looking at an ARP poisoning
    > > > problem.
    > > > If they do not match, track down the offending MAC on the switched
    > > > network.

    >
    > > > Also, do all of your VLANs use the ASA as a default gateway, or do you
    > > > have a router there. - It would help to know the topology of the
    > > > network in question.

    >
    > > > Thanks
    > > > JC

    >
    > > No, none of the VLAN use the ASA as the default gateway. They all use
    > > a 4006 which has different IP addresses assigned to the different
    > > VLANs. I will take a look at the ARP entry's the next time this
    > > happens (most likely tomorrow) and see what is up...

    >
    > On the non-working clients, do the acquired DHCP details match the
    > details from the scope on the DHCP server? especially subnet mask?
    >
    > Just wondering if you have a second DHCP service somewhere handing out
    > its own DHCP scopes.- Hide quoted text -
    >
    > - Show quoted text -


    No, the only DHCP server is the one trunked into all of the VLANs.
    When I do an ipconf/release ipconfig/renew it pulls the same address
    (which is not unusual) with all the correct information. If I exclude
    the address from the scope and have the machine pull a new one it does
    and this generally fixes the problem...
     
    Steven B, Jul 16, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. vos
    Replies:
    2
    Views:
    9,794
  2. jh3ang

    Route poisoning ?

    jh3ang, Apr 7, 2006, in forum: Cisco
    Replies:
    1
    Views:
    2,025
  3. Michael Pelletier

    DNS Poisoning and "Pharming"

    Michael Pelletier, Apr 12, 2005, in forum: Computer Security
    Replies:
    2
    Views:
    476
    Michael Pelletier
    Apr 12, 2005
  4. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    561
    Darren Green
    Feb 20, 2009
  5. Mike Easter

    Re: DNS Poisoning - advice/help sought +a Question

    Mike Easter, Nov 13, 2009, in forum: Computer Support
    Replies:
    9
    Views:
    370
    Mike Easter
    Nov 20, 2009
Loading...

Share This Page