Solved

ARP (proxy?) issue on SonicWALL Pro5060 firewall

Posted on 2008-10-14
8
5,787 Views
Last Modified: 2013-11-29
In trying to chase down another issue on a network I discovered what seems to be an anomaly or at least something which I don't believe should happen and/or is unnecessary, causing (possibly) certain network problems.

I have observed that whenever I ping a host on this LAN (from another host on the same LAN) the SonicWALL will always respond to the initial ARP request with its own MAC address.  This seems to be happening at the beginning of other network communications as well although I haven't dug as deep as I have with the following scenarios.

Please see the respective figures below (attached file) which correspond with the following (these are all on the same LAN - no VLAN's or anything):

Note: initiator (pinger) is Broadcom. . . / 10.0.181.15 in each case.

1) Ping live host.  Initial arp request is answered by SonicWALL, then by actual host.  Subsequent ping request/reply is normal between only pinger and pingee.

2) Ping live host.  Initial arp request is answered by actual host, then by SonicWALL (arp response reverse of scenario 1).  Subsequent ping request/reply exchange works except that two ping requests are sent for each reply.  The first request is sent to the SonicWALL's MAC, the next is sent to the correct host MAC.  It is apparent that the initiating host cached the MAC address of both replies and is sending requests in the order the arp responses were received.

3) Ping non-existent host.  SonicWALL responds to arp request with its own MAC, then proceeds to send three arp requests to the (non-existent) destination host.  Since the initiating host received a reply to its initial arp request it sends specified number of ping requests to the SonicWALL's MAC.  Of course the SonicWALL doesn't answer and the result is request timed out.

Questions

1) Why does SonicWALL do this?

2) Can it be disabled?

3) Is this arp proxying?

ping-arp.png
0
Comment
Question by:powercram
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 4

Expert Comment

by:larsga
ID: 22717008
Yeah, that looks like proxy arp.

Difficult to tell why without knowing more about the configuration on the SonicWall. Is it set to "Transparent Mode" by any chance?
0
 
LVL 6

Author Comment

by:powercram
ID: 22717442
Are you talking about Send gratuitous ARP to DMZ or LAN on transparent mode while HA failover in Hardware Failover Settings?  The answer is no, this is not set.
0
 
LVL 4

Accepted Solution

by:
larsga earned 500 total points
ID: 22723241
The only reason I can think of for the SonicWall to behave the way it does is that it thinks (part of) 10.0.81 is sitting on a different interface (possibly a VPN?) and thus needs to do proxy arp for that ip range. Perhaps a VPN connection with wrong netmask/range, or "transparent mode" bridging between interfaces.

I'm unfortunately not that familiar with SonicWall configuration. Is it possible to dump it as a text file so that we can take a look at it? (With any potential security sensitive information anonymised of course).
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Author Comment

by:powercram
ID: 22725761
The SonicWALL is setup to provide an IP address from the local network (on X0) to VPN clients.  It makes some sense then that it needs to know the MAC address of all hosts with IP addresses from that network so it can forward packets, if necessary, to "remote" VPN hosts.

I have posed this question to SonicWALL support to see what they come back with.  I'm not too optimistic though as I'm sure one of the level-one guys will try to give a scripted answer, and it would be like pulling teeth to talk to a higher-level tech.  If I get anywhere with them I'll post it here.

If the assumption is correct about the VPN thing it helps to clear the waters a bit.  But now I'm back chasing the original issue which led me down this path.  Once I get my thoughts together and can form some logical questions I will ask them.
0
 
LVL 4

Expert Comment

by:larsga
ID: 22726647
It should really only do proxy arp for the IP addresses that the VPN clients are currently using, it should not do proxy arp for the entire 10.0.181.x range. Could you look in the VPN settings and see if it is possible to narrow down the range of addresses that are given to VPN clients, preferably parts of .181.x that are not going to be used by PCs/other devices on the local lan.

How are IP addresses assigned on the local lan, btw? If it is by a DHCP server, you might for example configure it to give out addresses from 181.10 - 181.200. And then in the VPN config on the SonicWall set it to use 181.201 - 181.250 as the pool of addresses given to VPN clients.
0
 
LVL 6

Author Comment

by:powercram
ID: 22731142
I think you are on to something here.

I have a W2K3 server running DHCP with a range of about 50 addresses.  The SonicWALL is setup to DHCP proxy from the LAN to the VPN clients.  I like your idea of defining a range just for VPN clients from the SonicWALL.  I'll give that a try and see if this changes the behavior.
0
 
LVL 6

Author Closing Comment

by:powercram
ID: 31506088
This interaction got me going in the right direction & I believe I found what I was after with it.  Thanks for the help.
0
 

Expert Comment

by:DraXken
ID: 36421294
Hi Powercram,

I actually have the same problem here on or Sonicwall NSA 3500; Can you tell me what you ended up doing?

With kind regards,
Pascal
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question