Harv
Guest
|
 Posted: Tue Apr 25, 2006 7:25 am Post subject: one-way ARP between cisco and Watchguard |
 |
|
I have a 4503 with ethernet trunk to a cluster of Dell switches, with
access port to a Watchguard firewall in "drop-in" (bridged) mode:
C4503===Dell5324===Dell5234--x--Watchguard--server
== 802.1q trunk
-- untagged
The 4503 has an "interface Vlan" for Layer-3 access to the Watchguard's
Vlan. The Watchguard is not learning the MAC address of the Cisco, but
the Cisco is learning the MAC of the Watchguard.
I placed a sniffer where the "x" is above, and saw the Watchguard
arp'ing for the Cisco every 60 seconds; and saw the Cisco's replies.
But the arp table on the Watchguard showed the Cisco's address as MAC
00-00-00-00-00-00, which I assume means "incomplete". I also saw pings
(unicast) from the Cisco MAC to the Watchguard MAC, but no replies from
the Watchguard (of course... no arp entries = no replies).
If the Watchguard is replaced with another device (e.g. laptop), then
there are no problems. I've tried converting the Watchguard to routed
mode, but the problem persists.
I'm installing three Watchguards to this Cisco router/switch, and all
three exhibited this. One of them (in routed mode) started behaving
finally after I pulled everything apart and put it back together.
Harv |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Private messages
Log in
