ARP (不完整)系统日志“收到冲突ARP在接口 ethernet1/1 上表示重复IP“

ARP (不完整)系统日志“收到冲突ARP在接口 ethernet1/1 上表示重复IP“

29571
Created On 06/21/22 09:16 AM - Last Modified 05/09/23 08:16 AM


Symptom


  • 来源NAT规则是使用转换后的源地址作为与出口/目标接口重叠的子网创建的。
例如:
Firewall接口是 ethernet1/1。 它是IP是 10.129.72.126/24

以太网 1_1。PNG
 
  • 有一个S-NAT将源转换为与重叠的 10.0.0.0/8 子网的规则IPeth1/1 上的子网。
不正确的 NAT。PNG
  • Ping 下一跳:10.129.72.130,我们看到 100% 的数据包丢失。
admin@Lab70-126-PA-5280> ping source 10.129.72.126 host 10.129.72.130
PING 10.129.72.130 (10.129.72.130) from 10.129.72.126 : 56(84) bytes of data.
^C
--- 10.129.72.130 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
  • 运行命令全部显示arp我们看ARP不完整。
admin@Lab70-126-PA-5280> show arp all

maximum of entries supported :      128000
default timeout:                    1800 seconds
total ARP entries in table :        1
total ARP entries shown :           1
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl
--------------------------------------------------------------------------------
ethernet1/1       10.129.72.130   (incomplete)      ethernet1/1         i      1
  • 系统日志显示:
2022/06/21 01:24:10 info     general        general 0  Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d
2022/06/21 01:24:00 info     general        general 0  Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d
2022/06/21 01:23:50 info     general        general 0  Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d
2022/06/21 01:23:25 info     general        general 0  Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d
2022/06/21 01:23:15 info     general        general 0  Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d
  • pan_packet_diag日志特征流arp表明有人正在使用IP地址,哪个firewall正在使用NAT规则。
作为回应,firewall免费发送ARP广播 10.129.72.130 位于firewallMAC.
Received ARP packet from port ethernet1/1
Packet decoded dump:
L2:     00:50:56:9b:ab:6d->94:56:41:37:d4:40, type 0x0806
ARP:    hardware type 0x0001
        protocol type 0x0800
        hardware size 6
        protocol size 4
        opcode REPLY
        sender mac address 00:50:56:9b:ab:6d
        sender ip address 10.129.72.130
        target mac address 94:56:41:37:d4:40
        target ip address 10.129.72.126
ARP packet sent from translated IP 10.129.72.130 in NAT rule index 0 in vsys 1
MAC not of own box00:50:56:9b:ab:6d
Received conflicting ARP on interface ethernet1/1,indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d
Broadcast ARP announcement packet on interface 64
Packet decoded dump:
L2:     94:56:41:37:d4:40->ff:ff:ff:ff:ff:ff, type 0x0806
ARP:    hardware type 0x0001
        protocol type 0x0800
        hardware size 6
        protocol size 4
        opcode REPLY
        sender mac address 94:56:41:37:d4:40
        sender ip address 10.129.72.130
        target mac address 94:56:41:37:d4:40
        target ip address 10.129.72.130

 

Environment


  • 帕洛阿尔托Firewall配置源NAT转换后的源地址与出口/目标接口子网重叠的规则。

Cause


  • 这是因为firewall执行代理ARP对于翻译后的源子网,因此它将响应任何ARP请求此子网中的 IP。

Resolution


  • 修复S-NAT翻译正确的规则IP和子网。

Additional Information


  • 有关代理的更多信息ARP: https://docs.paloaltonetworks.com/pan-os /9-1/pan-os -管理员/网络/nat/nat-policy -rules/proxy-arp-for-nat-address-pools
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cq7dCAC&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language