I have a cisco 2611 that has a problem connecting to the firewall. The router and firewall are on the same subnet, and for some reason you can't ping firewall from router and you can't ping router from the firewall. After couple of hours messing with the router, I found out that if you clear the ARP it works fine, however after couple of minutes it goes back to no connections. All other devices on the network where the router is located are accessible at all times, except for the firewall which in order to access it I need to clear the ARP every 2 or 3 minutes. Any advice or help???
Thanks in advance for all your help, and happy holidays.
Proxy ARP refers to a gateway device, in this case, the PIX Firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.
By default, the PIX responds to Address Resolution Protocol (ARP) requests directed at the PIX interface IP addresses as well as to ARP requests for any static or global address defined on the PIX interface (which are proxy ARP requests).
The PIX builds a table from responses to ARP requests to map physical addresses to IP addresses.
A periodic ARP function is enabled in the default configuration.
The presence of entries in the ARP cache indicates that the PIX has network connectivity.
The show arp command
formatting link
lists the entries in the ARP table.
Usually, administrators do not need to manually manipulate ARP entries on the PIX.
This is done only when troubleshooting or solving network connectivity problems.
The sysopt noproxyarp if_name command allows you to disable proxy ARP request responses on a PIX interface.
However, this command does not disable non-proxy ARP requests on the PIX interface itself.
Consequently, if you issue the sysopt noproxyarp if_name command, the PIX no longer responds to ARP requests for the addresses in the static, global and nat 0 commands for that interface, but it does respond to ARP requests for its interface IP addresses.
I had a problem recently with a device that had an incorrect subnet mask and was publishing proxy arp, much headaches :)
When you are in a state where the PIX won't ping, show arp and find out what mac addy the PIX is showing from the router. Then clear arp and ping again, then see if the mac addy is the same. If you see that the mac's are different you may have found your problem device.
If you have Cisco switches, log into the core and follow the mac from 'show mac-add'
when you use the "clear arp" command on a Cisco router the router actually re-arp for all entries that are in the arp table. so in essence you are just refreshng the arp cache. Clearly if there was an arp entry that did not respond you would see an incomplete in the arp table briefly and then the incomplete would be deleted.
Can you post the output of a) show run b) show version c) turn on debug arp debug icmp d) make logging buffer is enabled e) clear the arp cache f ) ping the router's ip address facing the firewall from the router g) ping the firewall''s ip address h ) show arp
Thanks for the reply, here is the info you asked for:
CORP2#show run Building configuration...
Current configuration : 790 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname CORP2 ! enable secret 5 $1$EDuu$r.fjbiCbSabnjwqbFWnKN1 enable password 4123mka ! ip subnet-zero ! ! ! ! ! ! interface Ethernet0/0 ip address 10.3.0.2 255.255.0.0 half-duplex arp timeout 0 ! interface Serial0/0 ip address 192.168.1.100 255.255.255.0 ! interface Serial0/1 ip address 192.168.1.110 255.255.255.0 encapsulation ppp ! ip classless ip route 0.0.0.0 0.0.0.0 10.3.0.251 ip route 10.1.0.0 255.255.0.0 10.3.0.1 ip route 10.2.0.0 255.255.0.0 10.3.0.1 ip route 10.4.0.0 255.255.0.0 10.3.0.1 ip route 10.5.0.0 255.255.0.0 Serial0/0 ip route 10.6.0.0 255.255.0.0 Serial0/1 no ip http server ! ! line con 0 line aux 0 line vty 0 4 password 4123mka login ! end
CORP2#
CORP2#show ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M), Version 12.2(26), RELEASE SOFTWARE (fc2) Copyright (c) 1986-2004 by cisco Systems, Inc. Compiled Sat 31-Jul-04 04:57 by eaarmas Image text-base: 0x8000808C, data-base: 0x80A1E540
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
CORP2 uptime is 6 days, 20 hours, 35 minutes System returned to ROM by power-on System image file is "flash:c2600-i-mz.122-26.bin"
cisco 2610 (MPC860) processor (revision 0x203) with 28672K/4096K bytes of memory . Processor board ID JAD05060ZK0 (1117921095) M860 processor: part number 0, mask 49 Bridging software. X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
CORP2#
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.3.0.251, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms CORP2#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.3.0.10 1 0000.8536.dca9 ARPA Ethernet0/0 Internet 10.3.0.1 1 0005.3281.da20 ARPA Ethernet0/0 Internet 10.3.0.2 - 0005.322b.e7c0 ARPA Ethernet0/0 Internet 10.3.1.125 0 00c0.9f22.e70d ARPA Ethernet0/0 Internet 10.3.0.199 0 00b0.d0d1.3fd6 ARPA Ethernet0/0 Internet 10.3.0.198 0 0011.43e0.590d ARPA Ethernet0/0 Internet 10.3.0.251 1 0018.4d1c.8f73 ARPA Ethernet0/0 Internet 10.3.0.252 1 0013.724c.7ee4 ARPA Ethernet0/0 Internet 10.3.0.254 0 0013.724c.7ee5 ARPA Ethernet0/0 CORP2#
Hope this helps.
PS, I also tried messing with the arp timeout from 0 to 60 seconds which had no effect as well as adding a static arp entry, which didn't do anything either.
Looks like you have another Cisco router @ 10.3.0.1, please confirm. If so post its config ( show run )
What is the switch make and model that the devices on 10.3.0.0/16 are connected to Is it a Cisco switch?
Configure logging buffer on both of your routers
config t service timestamps debug datetime msec localtime service timestamps log datetime msec localtime logging buffer 1000 debugging no logging console end
wri mem
clear logging show logging
capture and post the output of debug arp
debug arp
ping 10.3.0.251
show logging
Whate is the model of Netger firewall and software/ firmware version ?
FYI this output is after I have cleared arp from the router, otherwise I can't get online. It's very weird why it's doing this. It started doing this after we have installed a second serial T1 Card, since these are 2610 serires routers and cisco doesnt sell the Version
1 wic cards anymore we had to get a refurb one which wasn't working to well it had about 7,000 interface resets. I removed it today hoping it would solve this problem, but no luck still for some reason the connection to the firewall stops after couple of minutes untill you do CLEAR ARP. The second router has been working for years without any issues.
Hope this helps and provides more clues. Thanks, Igor Merv wrote:
Did you check the ARP table on the firewall as well? Both sides must agree. This very much sounds like something is configured with an incorrect subnet mask, probably 10.3.0.0/255.255.255.0, and is supplying proxy arp. Can you post the ARP table on the firewall and all routers and switches?
Hot Sex 6
**Sofiane Bahri From Morocco 0021275831620 =D8=B3=D9=81=D9=8A=D8=A7=D9=86 =D8=A7=D9=84=D8=A8=D8=AD=D8=B1=D9=8A =D9=85= =D9=86 =D8=A7=D9=84=D9=85=D8=BA=D8=B1=D8=A8 **** 0021275831620
Hot Sex 6
**Sofiane Bahri From Morocco 0021275831620 =D8=B3=D9=81=D9=8A=D8=A7=D9=86 =D8=A7=D9=84=D8=A8=D8=AD=D8=B1=D9=8A =D9=85= =D9=86 =D8=A7=D9=84=D9=85=D8=BA=D8=B1=D8=A8 ****
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.