Loop Back and ARP Request

[netwalker1]

My PIX outside IP is : 172.16.16.1
and when I did a sniffer on the Segment 172.16.16.0
I found 2 strange packets :
1- Loop Back from my PIX interface to itself !
2- ARP Request Broadcast packet from the PIX Inetrface asking what is the Device of twhich hold the IP : 172.16.16.1 ?!

What is this mean ?


Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

All hosts when they become active, send an arp to see if anyone has their IP address. The PIX arping itself once in a while isn't something to worry about.

Also... Do you have a failover box?

 

[netwalker1]

Yes I have a Failover PIX ,
and the ARP messages sent every 2 seconds !!!

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

Yep... That's the keepalives to make sure it's up... However, it shouldn't be arping every 2 seconds.

 

[netwalker1]

So , Can you help me discovering why ? and how can I stop this ?!
Also ,, What is the loopback packets ?!

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

The loopback packets is the PIX trying to connect to itself to see if it's up. It will do this on every interface. However, the arp broadcasts should not be happening every two seconds. Are you sure the PIX is arping itself every two seconds?

 

[netwalker1]

Yes , it's arping itself , and it arping alos the Natted IPs , I mean there is some static NAt from inside to outside in my PIX , for some servers , they all having an ARP Packets and a loop back !

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

What does your arp timeout say in your configuration?

 

[netwalker1]

14400

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

What does "failover poll" say?

 

[netwalker1]

failover poll 3

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

Ok... so every 3 seconds your PIX is going to try to contact it's standby PIX.

 

[netwalker1]

Hmm ,,
what about the arp request for the Natted IPs ..
I have a Web Server inside my network and it's natted to the outside interface by a real IP ..
when I sniff outside , I can find a ARP Request from the PIX real IP , asking about the Web Server Real IP !?



Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

Is it repeatedly arping the webserver's real IP address? Or is it once every 14400 seconds?

 

[netwalker1]

repeatedly arping the webserver's real IP address

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

Is it getting the same response every time?

 

[netwalker1]

yes

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

What version are your PIX's running?

Make sure they are on the same version OS, and hopefully something relatively new like 6.2.x or newer.

 

[netwalker1]

My PIX Version is 6.3(1)

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[baddos]

Try upgrading both of your pix boxes to 6.3(3). 6.3(1) is a pretty big change in the PIX OS, so there might be a bug in there that is affecting you. 6.3(3) is the latest version of that build.

You also might want to try out 6.2(2). That's a pretty stable build.