 | ||
 NAT + Proxy ARP problem | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2005-11-30 | |||
| |||
 NAT + Proxy ARP problem I'm having a 'problem' with my FW1 NG R55 running in a Solaris 8. We have a class C network which we use about 15 IPs to do Hide NAT. They are working fine, but the fact that they use only 1 physical interface (1 MAC address) for several IPs address is causing several messages (about 100 per sec) in my syslog like this one: ip: [ID 388441 kern.warning] WARNING: IP: Proxy ARP problem? Hardware address '<My MAC Address>' thinks it is <One of my NATed IPs> This messages, even being just warnings, are consuming my hardware (I/O, disk, processor, etc). This is a CheckPoint message ou a Solaris message? In the first case, is there any way that I can disable this? I've already tried to run "fw ctl debug -m fw - warning" and nothing happened. Thanks  |
| 2005-11-30 | |||
| |||
| Re: NAT + Proxy ARP problem It shouldn't be using proxy arp unless you are doing static nat. Make sure that you don't have any proxy arps hard coded on the firewall. You can also try disabling the Auto Arp feature in Check Point. I have seen some weird things happen with this enabled. You can find it in Global Properties > NAT > Third checkbox from top. Uncheck that and push policy and see if you still see the same problem. |
| 2005-11-30 | |||
| |||
| Re: NAT + Proxy ARP problem Lackie, when you say "proxy arps hard coded", you mean in a file, loaded at boot time? In this case, the answer is no!!! About disabling the "Automatic ARP configuration"; doing this will not mess with our Static NATs?? Yes, we have both Hide and Static NATs running in this box. Thanks again. |
| 2005-11-30 | |||
| |||
| Re: NAT + Proxy ARP problem I have seen some weird things happen when using the automatic arp in CheckPoint. Alot of the time it will work without a problem but then the odd time (without any cause) it will stop working or fail in some sort. At that point I tell anyone to have the Operating System do the proxy arps (Usually Nokia IPSO in my cases) and remove the automatic arp in Check Point. As you do have static nats then removing the automatic arp without having proxy arps in place will break the static nats that you have. |
| 2005-12-01 | |||
| |||
| Re: NAT + Proxy ARP problem I have a counter example. The problem was reproduced on SecurePlatform NG AI R55 and NGx R60. The Linux Proxy arp feature seems to be broken in recent kernels and didn't work either on my linux workstation with kernel 2.6.13. ( OS proxy arp worked fine on NG FP3) In order to have proxy arp working, I had to use the Checkpoint one. Do you guys have a working configuration with proxy arp under SecurePlatform? |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
