gl_3n2k3
asked on
PIX 515e ARP collisions
In my SYSLog I am seeing a lot of events:
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000d.56b8.ed59 on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000d.56b8.ed57 on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000d.56b8.ed59 on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000d.56b8.ed57 on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000b.db92.1a1e on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000b.db92.1a1f on interface inside
--after looking at the packets I was able to determine that the MAC addresses are two servers using dual Nics (teamed for Load Balance). I have other servers with this same set up but I am not seeing events for those servers.
--According to Cisco: Explanation The firewall received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.
Those MAC addresses are valid hosts. Is this a configuration issue or anything to be concerned with? Thanks in advance.
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000d.56b8.ed59 on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000d.56b8.ed57 on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000d.56b8.ed59 on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000d.56b8.ed57 on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000b.db92.1a1e on interface inside
%PIX-4-405001: Received ARP request collision from 10.36.81.2/000b.db92.1a1f on interface inside
--after looking at the packets I was able to determine that the MAC addresses are two servers using dual Nics (teamed for Load Balance). I have other servers with this same set up but I am not seeing events for those servers.
--According to Cisco: Explanation The firewall received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.
Those MAC addresses are valid hosts. Is this a configuration issue or anything to be concerned with? Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is most likely caused by an incompatability between the NIC's and the switch that they are connected to in supporting the "teaming". If the Dell switch doesn't support PAgP, or doesn't support the same version as the software running the NIC's, you're going to have these kinds of issues. There may be little that you can do about it except change the switch they're connected to and possibly update your teaming software.
ASKER
I was able to resolve this issue. I removed the team on one server and the events stopped logging. I compared the drivers between servers not logging the event to the ones that do and found some minor revision version differences. I updated the drivers for the NICs and Control suite on the server stilll using NIC teaming and the events stop being logged. I also cleared the routing tables of all gateway entries because there appeared to be a bad entry. I For those of you that may be interested.
Broadcom NetXreme updated drivers for both NICs from Microsoft 2.91.0.0 to Broadcom 7.80.0.0
BASP Virtual adapter updated from 6.0.1.0 to 6.0.9.0
Control Suite updated from 6.03 to 7.6.7
The logs did not indicate any ARP collisions after this.
Thanks for the responses!
Broadcom NetXreme updated drivers for both NICs from Microsoft 2.91.0.0 to Broadcom 7.80.0.0
BASP Virtual adapter updated from 6.0.1.0 to 6.0.9.0
Control Suite updated from 6.03 to 7.6.7
The logs did not indicate any ARP collisions after this.
Thanks for the responses!
Good work!
How do you want to handle closing of this Question?
How do you want to handle closing of this Question?
ASKER
I am giving you the points even though there wasnt an exact "fix" offered. I posted my fix in case someone else encounters a similar issue. Your comment to investigate the NICs lead to the eventually resolution. Thanks!!
I have another PIX log the is occuring with great frequency and was going to post it to see if any other's had experienced this (should I start a new post?). I havent started to troubleshoot it yet and may not even be an issue.
%PIX-2-106001: Inbound TCP connection denied from {external IP}/80 to 111.211.111.211/18355 flags PSH ACK on interface outside 2004-10-05 15:44:59
%PIX-2-106001: Inbound TCP connection denied from {external IP}/80 to 111.211.111.211/18355 flags ACK on interface outside
Per Cisco Error Event description:
Explanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The TCP_flags in this packet are FIN,ACK.
Action None required.
--- I dont think this is an issue but if its happening at great frequency then I may need to tweek some configurations.
I have another PIX log the is occuring with great frequency and was going to post it to see if any other's had experienced this (should I start a new post?). I havent started to troubleshoot it yet and may not even be an issue.
%PIX-2-106001: Inbound TCP connection denied from {external IP}/80 to 111.211.111.211/18355 flags PSH ACK on interface outside 2004-10-05 15:44:59
%PIX-2-106001: Inbound TCP connection denied from {external IP}/80 to 111.211.111.211/18355 flags ACK on interface outside
Per Cisco Error Event description:
Explanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The TCP_flags in this packet are FIN,ACK.
Action None required.
--- I dont think this is an issue but if its happening at great frequency then I may need to tweek some configurations.
I don't think it's an issue. Whenever you open a web page and quickly click off to another link or something before the page fully loads, you'll see these type messages. You've closed the connection request to the initial page, but the graphics and things are still coming from the original request. They just get dropped...
ASKER
After hours I am going to change one of them to a single nic to see if the events stop.
NIC configuration is nothing out of the ordinary. Static IP, Static DNS, WINs, etc.