This weekend I was testing a new data link connection from a service provider, and I went through some address resolutions problems.
I tested reachability to hosts at the far end using a laptop on my side with some network parameters provided by the ISP.
Then, when I configured it on an available NIC on my UTM, the same hosts were not reachable. After confirming my routing configuration was seted up correctly, I started sniffing with tcpdump
and find out that my linux UTM's ARP requests (arp who-has
) for the first hop at the other side were not getting an answer. So an <incomplete>
entry for it's ip address was created at my UTM's ARP table.
As a temporal workaround I added a permanent entry to my UTM's ARP table through arp -a
.
I did found out that the host not answering my arp requests is an Cisco router (Cisco 7600 router (IOS 12.2)
according to nmap OS detection feature).
What can be the root cause of this problem?
- Some sort of ACL configuration in the router's ARP? (My laptop did get the ARP resolution)
- Some
arp_filter
not allowing to reply to addresses from other subnets / NAT Required? - A temporal entry for my laptop on the router's ARP table and spoofing protection activated when I configured the same address on my UTM?.
- A malformed ARP request? (I am not having this issue with my other data links on the same UTM)
- A "not-understandable" ARP answer sent to my UTM?
- Any other?
The netmask for the data link is /30
so there are only two hosts able to reply the arp request (my UTM and the router)
UPDATE:
Reply from my ISP:
We do have security policies applied, but at MAC address level, for the case of the access port (Gi7/3) we have a maximum of 10 Mac allowing traffic for that port, and the log has registered 4 entries to this date, thus ensuring that security action (Restrict) has not yet been activated.
I did upgraded my UTM's hardware in order to get more NICs available. In this upgrade a MAC address change for my NIC receiving the data-link was involved but the behavior was the same, without a static arp entry, I am not able to send packets to the cisco router.