From: Phil Virnoche (p.virnoche@verizon.net)
Date: Thu May 15 2003 - 09:04:52 GMT-3
(An " ATTA-BOY " award to anyone that can solve this one !!! )
Good morning all-
I have a real head scratcher that I can't find anything documented on.
Here is my setup:
INTERNET --------- Border Router (10.10.10.1) ---------- Switch
--------------- ( 10.10.10.2) Pair of PIX 520's in failover -( 6.2.2 OS
)
Off of the switch I have an Aventail VPN server with an IP of 10.10.10.5
, and the default gateway set to 10.10.10.1
Now here is the problem: I could not establish a session with the
Aventail from the outside so I set up a SPAN port on the switch and
sniffed the INGRESS port from the Border Router. I saw the traffic
coming in. Next I sniffed the EGRESS port from the switch to the
Aventail and saw traffic coming in, AND the Aventail answering !!! But
where in the "H" "E" double tooth picks was it going???? After a few
choice swear words and another hour of troubleshooting I discovered that
the ARP cache on the Aventail had an entry pointing the 10.10.10.1 to
the MAC of the PIX !!!!! I immediately cleared the ARPS on the PIX and
the Router and Aventail. Initiated a continuous ping from the Aventail
to the 10.10.10.1. WAH-LA , I could now establish my VPN connection !
As long as I leave the continuous PING running on the Aventail,
everything works, but if I don't, the ARP cache times out and the PIX
once again answers the ARP for the 10.10.10.1
Anyone ever experienced this ODD behavior before? How did you fix it?
ANY info would be greatly appreciated !!
Regards-
Phil
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:43 GMT-3