-----BEGIN PGP SIGNED MESSAGE-----
A Cisco Router will accept new ARP info before the old info ages out. The
issue that started this thread was the Resonate load balancing/ failover
software, part of it's funcionality allows for one machine to take over IP
addresses from another. This works with Sun, Linux, BSD*, AIX, HP, ..
machines and Cisco, 3com, ... routers but not with the PIX.
In this case reducing the ARP timeout is not nearly as good a solution
becouse with the gratuitus ARP failover can happen in 5 sec or less of a
machine going down, if you set the ARP timeout to such a low value you
will have far to many ARP broadcasts on your network.
David Lang
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
On Wed, 20 Jan 1999, Schaar, Norbert wrote:
> Date: Wed, 20 Jan 1999 16:14:28 +0100
> From: "Schaar, Norbert" <[EMAIL PROTECTED]>
> To: 'David Lang' <[EMAIL PROTECTED]>,
"Schaar, Norbert" <[EMAIL PROTECTED]>
> Cc: rich <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: Resonate and Pix
>
> That's right, PIX ignores new MAC addresse until the entry in its ARP table
> ages out. From this point of time when the entry has been gone PIX will
> accept new ARP broadcast announcements and advertises and updates its table.
> So it's very important to reduce the value of PIX arp timeout or manually
> delete the table through "clear arp".
>
> By the way, any networking device does have such featur, for example SUN
> SPARC's timeout is per default 300 seconds. so, it needs always some minutes
> if your changed card or (in highav) your new machine will be able to send
> and receive packets.
> Possible that PIX is more stringent in ignoring some stuff on the wire,
> because it's nature as firewall. But you can discover same behavior for any
> Cisco router and SUN Sparc server.
>
> Anyhow, try it out with PIX and you will see it works.
>
> Kindly regards
>
> Norbert Schaar
> Firewall Team - Network Security Services
> Dresdner Global IT Services - DreGIS
> Dresdner Bank AG
>
> -----Original Message-----
> From: David Lang [mailto:[EMAIL PROTECTED]]
> Sent: Mittwoch, 20. Januar 1999 15:59
> To: Schaar, Norbert
> Cc: rich; [EMAIL PROTECTED]
> Subject: RE: Resonate and Pix
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> I may be wrong about this, but the way I understand it there is supposed
> to be the capability for a system to announce it's IP address without
> waiting for a box to send an ARP request. The term I was told is a
> gratuitus arp broadcast. Basicly it boils down to the TCP/IP stack
> listening for all arp broadcasts and updateing it's ARP table whenever it
> hears one. This mostly comes into play if you change a card in a machine
> or implement some sort of High-Availability failover. In these cases the
> MAC adderess changes for a given IP address. The machine broadcasts the
> new ARP info, but some machines (including as I understand it, the PIX)
> ignore this.
>
> David Lang
>
> "If users are made to understand that the system administrator's job is to
> make computers run, and not to make them happy, they can, in fact, be made
> happy most of the time. If users are allowed to believe that the system
> administrator's job is to make them happy, they can, in fact, never be made
> happy."
> - -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA
> '97)
>
> On Wed, 20 Jan 1999, Schaar, Norbert wrote:
>
> > Date: Wed, 20 Jan 1999 09:39:49 +0100
> > From: "Schaar, Norbert" <[EMAIL PROTECTED]>
> > To: 'David Lang' <[EMAIL PROTECTED]>, rich <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Resonate and Pix
> >
> > David,
> >
> > there's an ARP config statement for PIX which defaults to:
> >
> > arp timeout 14400
> >
> > It does mean 14400 secons or 4 hours. Fortunately, you can change the
> > timeout to lower value, for example
> >
> > arp timeout 300
> >
> > to force PIX to forget MAC entries after 5 minutes.
> >
> > What key TCP/IP function the PIX doesn't implement? If you use this box as
> > it is designed for, you shouldn't have any problems except of the
> complexity
> > of configuration of large rulebases and the lack of management features.
> >
> > Kindly regards
> >
> > Norbert Schaar
> > Firewall Team - Network Security Services
> > Dresdner Global IT Services - DreGIS
> > Dresdner Bank AG
> >
> > -----Original Message-----
> > From: David Lang [mailto:[EMAIL PROTECTED]]
> > Sent: Dienstag, 19. Januar 1999 20:40
> > To: rich
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Resonate and Pix
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > I was just speaking with Resonate last friday as they were going over my
> > network looking for problems. They were pleased to find that the PIX I
> > have was not going to be in frount of the boxes using Central Dispatch.
> > According to them the PIX does not implement some key TCP/IP functions
> > needed to make things work. Apparently the CISCO Local directer used to
> > have the same problem until some large CISCO customer complained enough. I
> > believe it has to do with the PIX not accepting gratuitus ARP packets (I
> > know I have had problems with te PIX and it's s l o w arp refresh when I
> > have changed NICs in machines).
> >
> > David Lang
> >
> > "If users are made to understand that the system administrator's job is to
> > make computers run, and not to make them happy, they can, in fact, be made
> > happy most of the time. If users are allowed to believe that the system
> > administrator's job is to make them happy, they can, in fact, never be
> made
> > happy."
> > - -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA
> > '97)
> >
> > On Tue, 19 Jan 1999, rich wrote:
> >
> > > Date: Tue, 19 Jan 1999 12:16:21 -0500
> > > From: rich <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > > Subject: Resonate and Pix
> > >
> > > Just curious if anyone has worked with or found workarounds for the
> > > problems encountered with Resonate software BEHIND a pix firewall.
> > >
> > > thanks,
> > > r
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP for Personal Privacy 5.0
> > Charset: noconv
> >
> > iQEVAwUBNqTfiz7msCGEppcbAQEMUwgAmALwMxwv15gA8tXJlvVSHNuyns1KwJLp
> > 30YLrZ4GaJG1BvmtKB5yZ7fm4/K5d6f/932ZTEscQoYJukVWV9fF88eLW0khaoU6
> > 3Mf/gBwqbwuzQLpeI81kukmgeZH/KA5yEzwGpKZbePSpKeC9GuUlPI/H6NR+uxHf
> > 8eBAl68oNYtGOrx0YqtxKYH9K3nuo3j+gYVX04jvZzGsvu92ciW3qGXN9tJtg+0M
> > X628vbZ6m5XS1Pps1d0bkxOaCxuoStNTv1sC0Be/4qdIDtQnHb6TPgE5linX7km7
> > QEJL6OyqqnFW5OQkXlYD0qie8kcISHjV6HDGhjexovEKBsqbFkhpLQ==
> > =KL99
> > -----END PGP SIGNATURE-----
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQEVAwUBNqXvQz7msCGEppcbAQHE4wf/Y6oKLIF5ZGcIAYSH+sqAvhp9eM0ZhJnA
> yiCk+wsu3UrKZVbAHHDUtRC2s3gcPMrA4Jn3IXzveAxRxm8h1XDNAp3NVAILapIP
> Cw66vsjVxWvT1OIf0mAd2L7TVa7wwcnsvOXH5P2QufWMhowdzWH4mx3NDPBnvmdw
> k3J6Ks7Lk9CjHZ7LAHfxIBffpYmBe0uV9R/orYdrakwungc8G0u+tLUqQrS16Ov6
> IzAP6EZZL2imlfMbLiUXKjPJ0FDEsXGxCfQlXWPFZYxkM0Eo0TgJiFOPFMZFvWf7
> 6Kc7yynRCkd5hxAwP7T6YsTxHwYoaE5J94ydd6m2kjEgnzRvLvtYAA==
> =TWg+
> -----END PGP SIGNATURE-----
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNqYoGT7msCGEppcbAQGIuwgArmwHOR3fXDZxGmUHgcVQ9cxYlXbgUEFW
kjoOerFzqlwGrII7umXEjGIVmUv6C2sVDgAopH3AuQYvJ6KtNCLjiImIA/EeYo9T
TMn/h+BMc8Qkew8SouLM5XeLvy2ZRG6Dhy06RKCiMDkhzZqFs4blwQb6t5UrCRvq
cX2PnPSxdxO5wqBM8ETavFjmQgHmaDJ2eAGUaKAMko328rn9xblBQicN1AgUb1gp
rlXkAdw+8eY6+ndTr6B13MVfgOPEiH+6J1JxuRFRSfcGKD/lTX5Vs1WseMQIDX9t
z7UYsN9VMhzDf3/0xfbrFWUxDnMcoqAg2EV0DpGTr4XFn2qnXQMFGQ==
=NyaK
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
