["Visser, Martin (Sydney)" <martin.visser@xxxxxx>]

Mark,

>From your post you say the W2K machine 172.16.11.100 ARPs twice.
However, from your time-line description you only mention one ARP
request broadcast from 172.16.11.100. The latter is more likely.

The fact that *both* the server and the PIX and the respond to the
(same, I think?) ARP request is indicating that you have proxy ARP
configured on the PIX. It also means that for some reason, due to the
PIX configuration, the PIX thinks that your ARP broadcast comes from a
subnet different to the one that 172.16.11.57 lives on. This is probably
because you have a different subnet mask configured on the PIX from
172.16.11.100. That is, is it possible that the PIX has a say a /26 mask
for the DMZ?

The fact is that the PIX should only respond to an ARP request because
it believes it has a more direct path to the destination host than the
source.

To clarify things a bit more you may need to post an Ethereal packet
capture (or a "sanitized" PIX config (removing your passwords and public
IP addresses)
 

Martin Visser ,CISSP
Network and Security Consultant 
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place 
North Ryde, Sydney NSW 2113, Australia 
Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
   Fax 7: +61-2-9022-1800     E-mail * : martin.visserAThp.com



-----Original Message-----
From: Mark Holloway [mailto:mholloway@xxxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, 8 July 2003 4:11 PM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Win2k Machine ARPs Twice


Hi everyone.  It's been a while since I've posted any type of strange
and mysterious behavior, but here is one for all of you to help me
figure out, if possible.
 
I have a PIX firewall with LAN, DMZ, and INTERNET interfaces assigned.
It's a very straight forward implimentation and in the DMZ, which is
172.16.11.0/24, there is a Windows 2000 machine that ARPs twice.  The
problem is the first ARP is heard by the server that's supposed to
respond, and the second ARP which is milliseconds later, is picked up by
the PIX firewall and it also responds back to the machine who sent the
ARP request.  The machine that initiated the ARP then enters the MAC
address of the PIX FIREWALL into its ARP cahce ( c:\arp.exe -a ) and
associates it with the server.  It goes something like this:
 
 
172.16.11.57 - SEND DATA TO 172.16.11.100
 
172.16.11.100 - BROADCASTS AN ARP - who is 172.16.11.57?
 
172.16.11.57 - REPLIES TO ARP WITH APPROPRIATE MAC ADDRESS 172.16.11.11
- THIS IS THE PIX FIREWALL; REPLIES TO SAME ARP WITH ITS OWN MAC ADDRESS

 
SERVER 172.16.11.100 enter the PIX's MAC into its ARP cache.  I do an
arp -a and it literally shows the PIX MAC for the 172.16.11.57 server
and the same ARP entry for172.16.11.11, which the PIX is truly the
default gateway for every machine on the 172.16.11.0/24 network. 
 
What's confusing is why the 172.16.11.100 machine is send two ARPs.
Another thing is why the PIX is picking up the ARP request?  Is it
because the 172.16.11.100 server thinks no host is responding so it
forwards to the PIX, then the PIX immediately responds back?  But why
would 172.16.11.100 enter the PIX's MAC into it's ARP cache and
associate 172.16.11.57 with it unless the PIX is falsely telling him
that?  Or else the two ARP requests are being responded to so closely,
the server 172.16.11.100 gets confused? 
 
I appreciate any responses. I am at a loss. 
 
Regards,
Mark