ARP Request Collisions on PIX-501 firewall

Discussion in 'Cisco' started by Andrew Dancy, May 28, 2004.

  1. Andrew Dancy

    Andrew Dancy Guest

    I'm fairly new to this whole PIX marlarkey and I've got an error
    popping up in our logs every few minutes that's got me bemused.

    We have a Cisco PIX-501 firewall protecting a webserver in a colo
    centre here in the UK. About every minute or so, we're getting errors
    like this in the logs (IP masked for privacy - it's the external IP of
    our PIX):

    05-28-2004 17:46:33 Local4.Warning 192.168.1.1 May 28 2004 16:39:06
    lovweb-firewall : %PIX-4-405001: Received ARP request collision from
    217.204.9.***/00d0.b720.822d on interface outside
    05-28-2004 17:45:26 Local4.Warning 192.168.1.1 May 28 2004 16:37:59
    lovweb-firewall : %PIX-4-405001: Received ARP request collision from
    217.204.9.***/0004.76f3.1269 on interface outside

    I have been able to determine that the two MAC addresses that always
    feature in these messages are the two NICs in the primary nameserver
    run by our upstream bandwidth provider. However, they have no idea why
    these messages are appearing or how to stop them.

    It's not a critical problem, as I can just raise the logging level on
    the PIX to supress the messages. I would like to know what's causing
    them, however, and if there's anything I need to do to fix it.

    Any ideas?

    Regards,

    Andrew Dancy
    Lovetts plc
     
    Andrew Dancy, May 28, 2004
    #1
    1. Advertising

  2. In article <>,
    Andrew Dancy <> wrote:
    :We have a Cisco PIX-501 firewall protecting a webserver in a colo
    :centre here in the UK. About every minute or so, we're getting errors
    :like this in the logs (IP masked for privacy - it's the external IP of
    :eek:ur PIX):

    :05-28-2004 17:46:33 Local4.Warning 192.168.1.1 May 28 2004 16:39:06
    :lovweb-firewall : %PIX-4-405001: Received ARP request collision from
    :217.204.9.***/00d0.b720.822d on interface outside
    :05-28-2004 17:45:26 Local4.Warning 192.168.1.1 May 28 2004 16:37:59
    :lovweb-firewall : %PIX-4-405001: Received ARP request collision from
    :217.204.9.***/0004.76f3.1269 on interface outside

    :I have been able to determine that the two MAC addresses that always
    :feature in these messages are the two NICs in the primary nameserver
    :run by our upstream bandwidth provider. However, they have no idea why
    :these messages are appearing or how to stop them.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#42300

    Explanation The firewall received an ARP packet, and the MAC
    address in the packet differs from the ARP cache entry.

    Recommended Action This traffic might be legitimate, or it
    might indicate that an ARP poisoning attack is in progress.
    Check the source MAC address to determine where the packets are
    coming from and check to see if it belongs to a valid host.


    In other words your DNS server is not always using the same MAC
    address for the same IP. That probably means it's configured as
    a cluster or failover system, but is incorrectly configured.
    Systems that run multiple NICs with the same IP should always use the
    same MAC for the IP in what they send out -- if they need to
    distinguish the devices, then they should be doing so at a piece
    of load-balancing hardware that should be between you and them, hiding
    all the details from you.
    --
    Will you ask your master if he wants to join my court at Camelot?!
     
    Walter Roberson, May 28, 2004
    #2
    1. Advertising

  3. Andrew Dancy

    kawad

    Joined:
    Jun 13, 2007
    Messages:
    1
    Hi
    Not sure about PIX's as I have never used them, but I have 2 FWSM's that I have been using in a failover config. I started getting the error when the failover stopped working and they started behaving independantly of each other. As they share an identical config more or less... the same interface with the same config and same mac address was being passed through the network from 2 different sources.
     
    kawad, Jun 13, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bobby Kuzma
    Replies:
    6
    Views:
    2,851
    Rik Bain
    Dec 31, 2003
  2. Andre
    Replies:
    7
    Views:
    743
    Andre
    Feb 20, 2005
  3. Joe_Cool97

    Cisco PIX 506E with high collisions

    Joe_Cool97, Jun 30, 2006, in forum: Cisco
    Replies:
    1
    Views:
    2,871
  4. Tyler
    Replies:
    5
    Views:
    1,489
    Marko Uusitalo
    May 22, 2008
  5. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    560
    Darren Green
    Feb 20, 2009
Loading...

Share This Page