Juniper firewall config problem - gratuitous ARP overrunning network?

Posted on 2009-02-11
Last Modified: 2012-06-27

I have a juniper router with ScreenOS 6.1 which is reportedly causing some ARP problems with my host. It's binding to all the IPs it can find.

I've attached the config file.  The firewall is setup to protect one server.  Collectively I have 5 IPs assigned by my host - I've entered them in the attached config file ( is assigned to the firewall are assigned to the server, and are routed via NAT-DST.  This all worked fine for the last couple of days, except its been causing this problem constantly.

Interface 0/0 goes to the internet in Untrust
Interface 0/7 goes to the server in DMZ

However, today I received message from my host that all is not well.  They've said the firewall is trying to bind to every IP on the network and they've now disconnected it.

Here's some of their log:

Feb 11 11:02:05 mook kernel: arp: moved from 00:1a:a2:2d:0f:8a to 00:22:83:98:de:00 on rl0
Feb 11 11:02:27 mook kernel: arp: moved from 00:1b:d5:88:99:d6 to 00:22:83:98:de:00 on rl0
Feb 11 11:03:23 mook kernel: arp: moved from 00:1b:d5:88:99:d6 to 00:22:83:98:de:00 on rl0
Feb 11 11:03:31 mook kernel: arp: moved from 00:17:cb:49:8b:80 to 00:22:83:98:de:00 on rl0

I've done some reading this afternoon and I have a feeling it's G-ARP related.

Can anyone shed some light on this, and point me to fixing the config file? You would be a lifesaver!

set clock timezone 0

set vrouter trust-vr sharable

set vrouter "untrust-vr" default-vrouter

set vrouter "untrust-vr"


set vrouter "trust-vr"

unset auto-route-export


set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 

set alg appleichat enable

unset alg appleichat re-assembly enable

set alg sctp enable

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "Administrator"

set admin password "nDorBFr7IsnOcn4JWsuCYcHtbgDNTn"

set admin http redirect

set admin auth web timeout 10

set admin auth server "Local"

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "untrust-vr"

set zone "DMZ" vrouter "untrust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Untrust-Tun" vrouter "trust-vr"

set zone "Trust" tcp-rst 

unset zone "Untrust" block 

set zone "Untrust" tcp-rst 

set zone "MGT" block 

set zone "DMZ" tcp-rst 

set zone "VLAN" block 

unset zone "VLAN" tcp-rst 

unset zone "Untrust" screen tear-drop

unset zone "Untrust" screen syn-flood

unset zone "Untrust" screen ping-death

unset zone "Untrust" screen ip-filter-src

unset zone "Untrust" screen land

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set interface ethernet0/8 phy full 1000mb

set interface "ethernet0/0" zone "Untrust"

set interface "ethernet0/1" zone "Null"

set interface "ethernet0/2" zone "Null"

set interface "ethernet0/7" zone "DMZ"

set interface "ethernet0/9" zone "Trust"

set interface ethernet0/0 ip

set interface ethernet0/0 route

unset interface vlan1 ip

set interface ethernet0/7 ip

set interface ethernet0/7 nat

set interface ethernet0/9 ip

set interface ethernet0/9 route

set interface "ethernet0/0" pmtu ipv4

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface ethernet0/0 ip manageable

set interface ethernet0/7 ip manageable

set interface ethernet0/9 ip manageable

set interface vlan1 broadcast arp

set interface ethernet0/0 manage ping

set interface ethernet0/0 manage ssh

set interface ethernet0/0 manage telnet

set interface ethernet0/0 manage snmp

set interface ethernet0/0 manage ssl

set interface ethernet0/0 manage web

set interface ethernet0/0 manage ident-reset

set interface ethernet0/7 manage ssh

set interface ethernet0/7 manage telnet

set interface ethernet0/7 manage snmp

set interface ethernet0/7 manage ssl

set interface ethernet0/7 manage web

unset interface ethernet0/9 manage ssh

unset interface ethernet0/9 manage snmp

set interface vlan1 manage mtrace

unset flow no-tcp-seq-check

set flow tcp-syn-check

unset flow tcp-syn-bit-check

set flow reverse-route clear-text prefer

set flow reverse-route tunnel always

set hostname FIREWALL

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set dns host dns1 src-interface ethernet0/0

set dns host dns2 src-interface ethernet0/0

set dns host dns3

set address "Untrust" "Server IP 1 - Sites"

set address "Untrust" "Server IP 2 - Email"

set address "Untrust" "Server IP 3 - Unused"

set address "Untrust" "Server IP 4 - Remote Access"

set address "DMZ" "Server" "Server"

set group address "Untrust" "Server IPs"

set group address "Untrust" "Server IPs" add "Server IP 1 - Sites"

set group address "Untrust" "Server IPs" add "Server IP 2 - Email"

set group address "Untrust" "Server IPs" add "Server IP 3 - Unused"

set group address "Untrust" "Server IPs" add "Server IP 4 - Remote Access"

set ike respond-bad-spi 1

set ike ikev2 ike-sa-soft-lifetime 60

unset ike ikeid-enumeration

unset ike dos-protection

unset ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 0

set ipsec access-session lower-threshold 0

set ipsec access-session dead-p2-sa-timeout 0

unset ipsec access-session log-error

unset ipsec access-session info-exch-connected

unset ipsec access-session use-error-log

set vrouter "untrust-vr"


set vrouter "trust-vr"


set arp nat-dst

set url protocol websense


set policy id 1 from "DMZ" to "Untrust"  "Server" "Any" "HTTP" permit 

set policy id 1


set policy id 3 from "DMZ" to "Untrust"  "Server" "Any" "DNS" permit 

set policy id 3


set policy id 4 from "Untrust" to "Untrust"  "Any" "Server IPs" "RDP" nat dst ip permit 

set policy id 4


set policy id 5 from "Untrust" to "DMZ"  "Any" "Server" "RDP" permit 

set policy id 5


set nsmgmt bulkcli reboot-timeout 60

set ssh version v2

set ssh enable

set config lock timeout 5

unset license-key auto-update

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

set route interface ethernet0/0 gateway permanent


set vrouter "trust-vr"

unset add-default-route


set vrouter "untrust-vr"


set vrouter "trust-vr"


Open in new window

Question by:TNGIT
    LVL 23

    Accepted Solution

    NAT-DST is essentially a feature that uses proxy arp for NAT addresses.
    you've specified.

    Proxy ARP of course means that you "bind" every IP that you wind up proxying ARP to your own address for (when someone asks to contact one of those addresses), as far as other hosts on the subnet are concerned.
    In general, it is not recommended, except for very special circumstances.

    Perhaps you intend to use proxy arp, but not for so many IP addresses...
    In your posted output, you have
    set interface ethernet0/0 ip
    set route interface ethernet0/0 gateway permanent
    But  is not in

    You _should_  have a direct interface on the same subnet as whatever you are choosing for your firewall to use as default gateway.

    set address "Untrust" "Server IP 1 - Sites"

    If  you want one ip,  the filter mask should be


    Author Comment

    Hi Mysidia

    Many thanks for that explanation, it was very interesting.

    I did alter the real IP addresses to imaginary ones in my post so as not to draw attention - the default gateway is in actual fact on the same subnet as the untrust interface's IP.

    I will adjust the filter mask to and get things back up and running.  I'll read up on why this makes a difference.

    You mentioned that Proxy ARP is not recommended - what would you recommend in place?


    LVL 67

    Expert Comment

    Isn't this a typical MIP/DIP/VIP case?

    Author Comment

    Many thanks - mysidia your solution worked perfectly.

    Qlemo, thanks for your comment - I am in the process of mapping the IPs instead of using NAT-dst.  

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now