DNS has nothing to do with this issue. This is strictly
IP:
Current Issue:
[internal] --> [firewall]
-->{PUBLIC] --> [router]
|
[F5]
Troubleshooting:
Router
1. ping F5 from router on same
subnet = good
2. verify arp entry on router for
F5
= good
Firewall
1. ping F5 from firewall on same
subnet = bad, no reply (ICMP is
not being blocked)
2. look for arp entry on firewall
for F5
= bad, no dynamic arp entries for F5. We can see other arp entries on the
firewall.
NOTE-
There seems to be an ARPing issue between
the F5 and the NOKIA IP 440. Since the Cisco router tested successfully,
it appears the firewall may not be obtaining an ARP entry from the F5.
All of these devices are sharing the same subnet, hence "local
traffic". Therefore, there is no need to route in this situation
because all devices are on the same subnet.
Work around-
Add a host route on the firewall for a
specific server on same subnet and send traffic to the router. Because
the router has an arp entry and knows how to reach that device connectivity is
successful. However, there is no need for static routes to make this
connection work.
Question -
Why is the firewall not getting an ARP
entry for the F5 on the same subnet ?
-----Original Message-----
From: Kant Narcisse
Sent: Friday, August 09, 2002 9:36
AM
To: Manny Jimenez
Subject: FW: [FW-1] Lost routes on
my IP440
-----Original
Message-----
From: Bill
[mailto:[email protected]]
Sent: Thursday, August 08, 2002
8:26 PM
To:
[email protected]
Subject: Re: [FW-1] Lost routes on
my IP440
what
you are saying does not make too much sense to me. you indicate that
adding static host addresses (TO WHAT?!?) allowed your ping to work. that
sounds like a name resolution problem and not a routing issue. i would
check your dns systems and determine if they have been modified or something
happened whereby they lost the settings for these hosts.
as far
as routing issues....i see your network like this. you have an internal
network which directly or indirectly connects to the firewall. the
firewall has an interface with an ip address on the 64.253.194.128/26 network
(or something like that). your servers are on that segment and you have 2
cisco routers which are your next hop to the internet. if this is the
case, the nokia box can not lose the route to the network unless the interface
goes down -- in which case you could not get to the internet. in any
case, the default route would not matter in that case.
hope
this helps
bill
-----
Original Message -----
To: [email protected]
Sent: Thursday, August 08,
2002 9:58 AM
Subject: Re:
[FW-1] Lost routes on my IP440
No I
didn't block icmp. I believe I am having a problem between F5 and IP440.
Possibly a dynamic ARP issue. The F5 is on the local public network of my
external interface of my
Firewalls.
If you can shed so light that would be greatly appreciated.
-----Original Message-----
From: Stephen Raymond
[mailto:[email protected]]
Sent: Wednesday, August 07, 2002
6:54 PM
To: [email protected]
Subject: Re: [FW-1] Lost routes on
my IP440
Could you browse to them? Maybe you elected to block
icmp from those servers?
-----
Original Message -----
To: [email protected]
Sent: Wednesday, August 07,
2002 10:06 AM
Subject: [FW-1]
Lost routes on my IP440
My Firewall default gateway to the Internet is my (HSRP IP address:
64.253.194.129). I have 6 web servers outside the firewall that have public
IP's from that same segment. From my internal network we were always able to
ping the following IP's:
64.253.194.160, 161,162,163,164,165. From the outside our customers can
hit these IP address but now from our internal network we cannot ping the
public IP's. I had to add static host address to allow our folks internally to
ping those IP's. I didn't have to do that in the past. It is as if I lost my
routes on the firewall. Please advice because I was always been able to ping
from both external & internal. The firewall's default gateway is allowing
our internal folks to the Internet so why can't it ping the 6 IP's now? Has
anyone seen this before?