ARP "issue" when using more than one subnet

I have detected the following behaviour on the cable. I guess it is a bug, but I would appeciate your comments about.

It happens both with v2.0 and v2.1.

Two subnets are used: 192.168.4.0 and 192.168.5.0.

Subnet 1 is config'd as: WLAN3, Port 5 (only), 192.168.4.1/24 and NO dhcp.

Subnet 2 is config'd as: WLAN4, Port 6 (only), 192.168.5.1/24 and NO dhcp.

A Win XP (or 2K, or Linux, it does not matter) is configured to have 2 IP addresses on the same NIC, on the same 2 WS2k's subnets, i.e., 192.168.4.100/24 and 192.168.5.100/24. Our customer has a Linux Firewall and wants to run this configuration.

Both Ports and the PC are connected to a switch (no VLANs).

When pinging both 192.168.4.1 and 192.168.5.1 from the PC, sometimes both respond, sometimes one stops, sometimes both do stop.

I noticed this on the PC:


C:>arp -a

Interface: 192.168.4.100 --- 0x10003
  Internet Address      Physical Address      Type
  192.168.4.1           00-a0-f8-5e-c7-47     dynamic
  192.168.5.1           00-a0-f8-5e-c7-47     dynamic

Both IPs have the same MAC!

When working, I see this instead:


C:>arp -a

Interface: 192.168.4.100 --- 0x10003
  Internet Address      Physical Address      Type
  192.168.4.1           00-a0-f8-5e-c7-46     dynamic
  192.168.5.1           00-a0-f8-5e-c7-47     dynamic

Each IP has its right MAC.

Then I took a trace (pls find attached), and I found that ARP requests from the PC may be replied by the other Port!

If the right one happens to reply, it works. If the wrong one does, it does not work.

By the way, if one of the cables is unplugged, and we ping its Port, the wrong port replies.

I guess that it makes sense that if many ports are set to the same subnet, any of them may reply to ARP requests. But if Ports are set to different subnets that should not happen.

That's why I think it is a bug.

What do you think about?

David Parades
i hve this issue too

i hve this issue too
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Juan-Antonio Ma...
More tests have shown that it

More tests have shown that it does not work with RF devices either.

Anyway, I have been told it is a known old issue.

I will tell the customer to do it somehow else, with the WAN interface.

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Afshin Mansoorieh
I set up a ws2000 (2.1) to

I set up a ws2000 (2.1) to simulate your configuration. It seems to be working OK for me, unless I've missed something. attached document shows a ping session to the .5 IP address and the GUI into the .4 address.
I've also included pictures of the subnets, route table and the IP addresses on my laptop.
In my arp table I have two distinct MAC addresses for the Switch's two IP addresses.

afshin,
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Juan-Antonio Ma...
Thanks a lot! Did you ping

Thanks a lot!

Did you ping both 192.168.4.1 and 192.168.5.1 at the same time from the PC?

For a certain while (more than one minute)?

The only difference I can see is that you did not assign any WLAN to both subnets as I did. Just physical ports, P5 and P6.

Also, did you test v2.1 ...or v2.1.1 ?

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Afshin Mansoorieh
I added a wireless LAN to

I added a wireless LAN to each subnet and ran the ping for about 5 minutes, no problem.
my switch has 2.1...35R on it.

I think the main clue is the fact that you are seeing the same MAC address for both IP addresses.
that suggests that one interface of the ws2000 is acting as the default gateway for the PC and is routing the ICMP packets.

I would make sure that the PC has NO default gateway set on it and that there are not static routes on the ws2000.

afshin,
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Sriram Venkiteswaran
This was a known issue with

This was a known issue with V2.0 and V2.1. We confirmed it here.

This has been fixed and will be available in 2.1.1 version.

Rgds,
- Sriram
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Juan-Antonio Ma...
So, my next question, as you

So, my next question, as you would have expected , is: when 2.1.1 will be available?

Actually, I need it too for a customer with Cisco switches.

Thanks!

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Subramani Jagadeesan
Hi Jam, The tentative time

Hi Jam,

The tentative time frame of the 2.1.1 maintenance release is 3rd week of June 2006 (this month).

Regards,

Subbu

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Anonymous (not verified)
I have opened case # 1214269

I have opened case # 1214269 but it was closed. Explanation is "the issue is by design". So I've opened GRIP# 4153.

I can make ping's to the interface of each subnet from other subnet. Also with a terminal connected to WLAN in subnet 2 I was able to telnet to the interface of subnet 1. Even with all traffic closed between subnets in the firewall.

Of course customer sees it as a major security issue. Up to now telnet can be avoided but not the pings.

Can we explain it to the customer as a feature required for administration of the WS?...from both subnets? . I'm using v2.1.1.0009

Regards,

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Anil Bhaskarwar
Hi: We tested this issue

Hi:

We tested this issue and not able to reproduce in 2.1.1 9R also along with 2.2 21R.

  Yes; from another subnet (say Subnet 2) we will be continuing (for administrative purposes) to allow packets to reach the only interface of other subnet (say subnet 1) and not any client of other subnet (subnet 2 in this example) when firewall is blocking any packets from subnet 2 and 1.

See Priyanka’s comment who had tested this, below.

 

Anil B

Manager-ESS (WID)

From: Sogani, Priyanka
Sent: Monday, September 04, 2006 12:49 PM
To: Bhaskarwar, Anil
Subject: RE: SEVT-WID: ARP "issue" when using more than one subnet - New Post Notification

 

Hello Anil

 

The following are the updates for the arp issue testing

a) The arp issue in which we get same MAC address for two different subnet interfaces is not reproducible in 2.2-21R and 2.1.1-9R.

b) And the issue that a subnet client can ping to another subnet interface even when firewall has blocked all packets between the two subnets is reproducible in 2.1.1-09R and 2.2-21R. (I doubt whether it’s an issue as this is required for WS2k administration.)

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Juan-Antonio Ma...
Before 2.1.1 was raised, I

Before 2.1.1 was raised, I "convinced" my customer to use WAN interface to manage the rest of the LANs/WLANs from a single IP point.
Everything has been fine so far, until they had the need to initiate traffic from WAN to LAN. This is always blocked by the firewall, no matter the rules set in. One can initiate LAN->WAN, but not WAN->LAN. This is normal, given the design of the ws2k.
So, we went back to this first configuration that did not work on 2.0, but was fixed on 2.1.1. We installed 2.1.1.0-009R.

It still does not work.

So I reproduced this at the office:
On one side, a Linux box with two IP addresses, 192.168.129.2 and 192.168.130.2 on a single ethernet card. This NIC is connected to a port on a Cisco 2950 switch.
On the other side, I set two LANs on the ws2k, LAN1 has 192.168.129.1 and LAN2 has 192.168.130.1. Port5 is assigned to LAN1 and port6 is to LAN2.
I connect both port5 and port6 to the same Cisco 2950 switch.
So, this switch has 3 cables connected to, one from the linux box, and two from the ws2k.
I ping LAN1 (192.168.129.1) from linux, and sometimes it does not respond. I also ping LAN2 (192.168.130.1) from linux, and sometimes it does not respond too. Anyway, it usually always starts fine, but after a minute of so it stops and then restarts, and so on. Tests must take at least a couple of minutes then.
If one of the pings works, the other fails, systematically.

But MAC issue is solved now!

192.168.130.1           ether   00:A0:F8:5E:C7:47   C                     eth1
192.168.129.1           ether   00:A0:F8:5E:C7:45   C                     eth1

It still fails, but not for the former reason. This is another reason.
Of course, if I unplug one of the cables, the other starts working fine!
Firewall is enabled, yet I do not thing this has to do with.
Any idea?
Can somebody reproduce this and test for a while?

Fyi, as per a previous suggestion, I have disabled all of the manual routes and the WAN interface too:

admin(network.router)>show routes
-------------------------------------------------------------------------------
index  destination      netmask          gateway          interface   metric
-------------------------------------------------------------------------------
1      192.168.130.0    255.255.255.0    0.0.0.0          subnet4     0
2      192.168.129.0    255.255.255.0    0.0.0.0          subnet2     0

admin(network.router)>list
-------------------------------------------------------------------------------
index  destination      netmask          gateway          interface   metric
-------------------------------------------------------------------------------

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Juan-Antonio Ma...
I installed v 2.2...21R and

I installed v 2.2...21R and now communication is fine!
I can ping from linux box simultaneously to both LAN1 and LAN2 addresses without any problem.

...but another problem has arose!

LAN1 is a DHCP server to provide addresses to RF devices connected to WLAN1. Its IP is 192.168.11.1 and the pool ranges from 192.168.11.100 to 192.168.11.150.
WAN is connected to a network where there is another DHCP server (NOT the linux box), on 192.168.30.0 LAN. (WAN is 192.168.30.53 actually).
Both LAN1 and WAN are connected to a switch which connects to the linux box.

So LAN1 and WAN share the same BC domain, yet they are on different IP subnets.

First, a device attached to WLAN1 gets an IP address from the server which is on the WAN side (i.e, 192.168.30.203). No matter if server uses UNICASTs to offer and to respond client DHCP requests. Strange... but I can live with this.

Second, and strangest, one can ping the unit from the Linux box (Linux has 192.168.30.2 IP address). WAN is unplugged. Only LAN1 is connected. So, on LAN1 port, ws2000 should ignore all traffic not belonging to 192.168.11.0, should it not? Especially ARPs with wrong IP addresses.

Besides, Firewall is enabled, and all of the cross traffic is disabled.

Yet, if I ping WAN IP (192.168.30.53) it does not respond (remember, it is not connected).

Any idea?

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Subramani Jagadeesan
Hi JAM,   Please open an SPR

Hi JAM,

 

Please open an SPR for this issue. We will target the fix into next maintenance release. The schedule for the maintenance release is not yet known at this point.

Please send all your queries on this issue directly to me at subramani.jagadeesan@symbol.com

 

Regards,

Subbu

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Log in to post comments