SUMMARY: Solaris boxes in a DMZ have arp table problems - CISCO PIX keeps populating Solaris boxes arp tables (fwd)

From: Jeffrey Liu <jliu2_at_hanwave.net> Date: Thu Feb 07 2002 - 16:54:55 EST · This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:33 EST

All,

Original question at bottom.

Thanks to
 Joel Lee
 Kevin Metzger
 Dan Simoes
 Scott Buecker
 Mike D. Kail

Kevin Metzger and Mike D. Kail for nailing the answer right on the
head.  Except that becauase it was the internal firewall's external
interface, the command used on the PIX was:

    sysopt noproxyarp outside

Thanks again everyone!!!

---------- Forwarded message ----------

we had a PIX proxy arp on our inside interface amking our productionservers
intermitently unavailable.  Cisco swore they had only ever seen that one other
time and gave me this config line that cured it.

sysopt noproxyarp inside

hope this helps.

--==========================================================================--
Kevin Metzger            direct mobile: 614.378.6396   desk: 800.777.3574x2686
Systems Administrator                                        614.839.0740  fax
Progressive Medical, Inc.                                    kevin@pmimail.com
--==========================================================================--

Original Question:

-
-I have a four SUN boxes within a DMZ.  Two of them are Solaris 2.6,
-and two of them are Solaris 8.
-
-The problem is that when these boxes are booted up, their arp
-tables are constantly being populated with the MAC address for
-the internal interface of the CISCO PIX firewall.  So for all
-the sun boxes, and even the external interface for the CISCO PIX,
-the internal interface for the CISCO PIX somehow forces its own
-MAC address to be populated within the arp tables.
-
-As a result, even though these machines are on the same
-network segment, they can not talk to each other.  Though
-thankfully we can still reach them from our internal corporate
-network through the PIX firewall.
-
-Our telecomm/firewall guys claim that there's no ARP proxy being
-used or configured.  And they can't seem to figure out why this
-is happening.  They've even tried creating a static arp table
-on the PIX itself, but that didn't seem to work.
-
-Cisco claims that this is a SUN problem.
-
-So far, our kludgy fix has been to include an /etc/rc3.d/S99arpapdd.sh
-which manually adds arp entries for the affected sun servers.
-
-Has anyone run across something similar and can explain just what is
-happening?  Does anyone know what can be done to fix the problem?
-
-Thanks in advance!
-
-
-Here's a brief look at the typical behavior of the SUN boxes after
-booting up:
-
-
-# arp -a
-
-Net to Media Table: IPv4
-Device   IP Address               Mask      Flags   Phys Addr
------- -------------------- --------------- ----- ---------------
-hme0   1.2.3.130       255.255.255.255       00:90:27:9d:91:fb
-hme0   1.2.3.129       255.255.255.255       00:90:27:9d:91:fb
-hme0   sun4             255.255.255.255 SP    08:00:20:f0:d3:98
-hme0   ntbox.somecorp.com 255.255.255.255       00:80:5f:9a:a7:51
-hme0   224.0.0.0            240.0.0.0       SM    01:00:5e:00:00:00
-# arp -a
-
-Net to Media Table: IPv4
-Device   IP Address               Mask      Flags   Phys Addr
------- -------------------- --------------- ----- ---------------
-hme0   1.2.3.130       255.255.255.255       00:90:27:9d:91:fb
-hme0   1.2.3.129       255.255.255.255       00:90:27:9d:91:fb
-hme0   sun4             255.255.255.255 SP    08:00:20:f0:d3:98
-hme0   ntbox.somecorp.com 255.255.255.255       00:80:5f:9a:a7:51
-hme0   224.0.0.0            240.0.0.0       SM    01:00:5e:00:00:00
-# ping sun1
-sun1 is alive
-# arp -a
-
-Net to Media Table: IPv4
-Device   IP Address               Mask      Flags   Phys Addr
------- -------------------- --------------- ----- ---------------
-hme0   1.2.3.130       255.255.255.255       00:90:27:9d:91:fb
-hme0   1.2.3.129       255.255.255.255       00:90:27:9d:91:fb
-hme0   sun1             255.255.255.255       00:90:27:9d:91:fb
-hme0   sun4             255.255.255.255 SP    08:00:20:f0:d3:98
-hme0   ntbox.somecorp.com 255.255.255.255       00:80:5f:9a:a7:51
-hme0   224.0.0.0            240.0.0.0       SM    01:00:5e:00:00:00
-# ping sun2
-sun2 is alive
-# arp -a
-
-Net to Media Table: IPv4
-Device   IP Address               Mask      Flags   Phys Addr
------- -------------------- --------------- ----- ---------------
-hme0   sun2             255.255.255.255       00:90:27:9d:91:fb
-hme0   1.2.3.130       255.255.255.255       00:90:27:9d:91:fb
-hme0   1.2.3.129       255.255.255.255       00:90:27:9d:91:fb
-hme0   sun1             255.255.255.255       00:90:27:9d:91:fb
-hme0   sun4             255.255.255.255 SP    08:00:20:f0:d3:98
-hme0   ntbox.somecorp.com 255.255.255.255       00:80:5f:9a:a7:51
-hme0   224.0.0.0            240.0.0.0       SM    01:00:5e:00:00:00
-# ping sun3
-sun3 is alive
-# arp -a
-
-Net to Media Table: IPv4
-Device   IP Address               Mask      Flags   Phys Addr
------- -------------------- --------------- ----- ---------------
-hme0   sun3.somecorp.com 255.255.255.255       00:90:27:9d:91:fb
-hme0   sun2             255.255.255.255       00:90:27:9d:91:fb
-hme0   1.2.3.130       255.255.255.255       00:90:27:9d:91:fb
-hme0   1.2.3.129       255.255.255.255       00:90:27:9d:91:fb
-hme0   sun1             255.255.255.255       00:90:27:9d:91:fb
-hme0   sun4             255.255.255.255 SP    08:00:20:f0:d3:98
-hme0   ntbox.somecorp.com 255.255.255.255       00:80:5f:9a:a7:51
-hme0   224.0.0.0            240.0.0.0       SM    01:00:5e:00:00:00
-_______________________________________________
-sunmanagers mailing list
-sunmanagers@sunmanagers.org
-http://www.sunmanagers.org/mailman/listinfo/sunmanagers
-
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers