Hi everyone. It's been a while since I've posted any type of strange and mysterious behavior, but here is one for all of you to help me figure out, if possible.
I have a PIX firewall with LAN, DMZ, and INTERNET interfaces assigned. It's a very straight forward implimentation and in the DMZ, which is 172.16.11.0/24, there is a Windows 2000 machine that ARPs twice. The problem is the first ARP is heard by the server that's supposed to respond, and the second ARP which is milliseconds later, is picked up by the PIX firewall and it also responds back to the machine who sent the ARP request. The machine that initiated the ARP then enters the MAC address of the PIX FIREWALL into its ARP cahce ( c:\arp.exe -a ) and associates it with the server. It goes something like this:
172.16.11.57 - SEND DATA TO 172.16.11.100
172.16.11.100 - BROADCASTS AN ARP - who is 172.16.11.57?
172.16.11.57 - REPLIES TO ARP WITH APPROPRIATE MAC ADDRESS
172.16.11.11 - THIS IS THE PIX FIREWALL; REPLIES TO SAME ARP WITH ITS OWN MAC ADDRESS
SERVER 172.16.11.100 enter the PIX's MAC into its ARP cache. I do an arp -a and it literally shows the PIX MAC for the 172.16.11.57 server and the same ARP entry for172.16.11.11, which the PIX is truly the default gateway for every machine on the 172.16.11.0/24 network.
What's confusing is why the 172.16.11.100 machine is send two ARPs. Another thing is why the PIX is picking up the ARP request? Is it because the 172.16.11.100 server thinks no host is responding so it forwards to the PIX, then the PIX immediately responds back? But why would 172.16.11.100 enter the PIX's MAC into it's ARP cache and associate 172.16.11.57 with it unless the PIX is falsely telling him that? Or else the two ARP requests are being responded to so closely, the server 172.16.11.100 gets confused?
I appreciate any responses. I am at a loss.
Regards,
Mark