First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

ARP responses for non existing hosts

  • retag add tags

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the network scan tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

Running the same scan from any of the systems on 192.168.50.0 network LOCALLY shows live hosts only. Also If we run a scan across VLAN (FirePower is a default gateway) we get responses ONLY from live hosts. It seems that the only way to reproduce this behavior where we see responses from DEAD hosts is to scan across the VPN tunnel.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

pcapng_file

net_tech's avatar
120
net_tech
asked 2020-03-03 15:54:07 +0000, updated 2020-03-03 16:13:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What do the interface list and route table show on the VPN client when the VPN is active?

Chuckc's avatar Chuckc (2020-03-04 06:29:38 +0000) edit
more
  • delete

Interface List

 22...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
  8...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN50

 10...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN8

 17...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN6

 21...60 57 18 c0 97 d0 ......Microsoft Wi-Fi Direct Virtual Adapter #2

 12...62 57 18 c0 97 cf ......Microsoft Wi-Fi Direct Virtual Adapter #3

  6...00 ff 3c fc 7d a7 ......TAP-Windows Adapter V9

 14...60 57 18 c0 97 cf ......Intel(R) Dual Band Wireless-AC 7265

  1...........................Software Loopback Interface 1
net_tech's avatar net_tech (2020-03-04 12:05:59 +0000) edit
more
  • delete

IPv4 Route Table

Active Routes:

Network Destination Netmask             Gateway         Interface       Metric

0.0.0.0             0.0.0.0             192.168.20.254  192.168.20.122  50
10.1.1.0            255.255.255.0       10.1.20.1       10.1.20.11      2
10.1.1.50           255.255.255.255     10.1.20.1       10.1.20.11      2
10.1.20.0           255.255.255.0       On-link         10.1.20.11      257
10.1.20.11          255.255.255.255     On-link         10.1.20.11      257
10.1.20.255         255.255.255.255     On-link         10.1.20.11      257
10.1.31.0           255.255.255.0       10.1.20.1       10.1.20.11      2
76.185.167.85       255.255.255.255     192.168.20.254  192.168.20.122  51
127.0.0.0           255.0.0.0           On-link         127.0.0 ...
(more)
net_tech's avatar net_tech (2020-03-04 12:08:51 +0000) edit
more
  • delete

Was the capture done external to the VPN client?
Based on the route entry 192.168.50.0 255.255.255.0 10.1.20.1 10.1.20.11 2 I would have expected the ARP to be for 10.1.20.1 not the 192.168.50.50 in the pcap.

Since the ARP is coming from the Cisco AnyConnect interface (00 05 9a 3c 7a 00) and the response is from the VPN interface (00:11:22:33:44:55) maybe its a question for https://community.cisco.com/

Chuckc's avatar Chuckc (2020-03-04 14:58:58 +0000) edit
more
  • delete

The capture was done on the VPN client.

I only included 2 packets in the attached capture, but the full capture has ARPs from all 192.168.50.0/24 IPs

There shouldn't have been an ARP from 192.168.50.50 as there is no host at that IP

net_tech's avatar net_tech (2020-03-04 16:09:26 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

2

Are you sure that the ARP responses really came in through the VPN tunnel? In other words: Is it possible, that a VPN driver injected the ARP packets?

I would expect, that the VPN software would use at least a 30 bit netmask, maybe longer. Also I hope, that your VPN does not try to emulate a broadcast-network over the link.

Eddi's avatar
2.4k
Eddi
answered 2020-03-06 20:03:20 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Eddi,

I think you are on to something. Based on your comment I started captures on the Firewall itself and VPN client while running another port scan. ARPs don't seem to be going over the tunnel. The ARP responses I am seeing on the client side may indeed be injected or generated by the AnyConnect VPN adapter itself.

Thanks

net_tech's avatar net_tech (2020-03-06 23:04:48 +0000) edit
more
  • delete
add a comment see more comments
1

Maybe Proxy ARP is on?

Packet_vlad's avatar
1.1k
Packet_vlad
answered 2020-03-03 16:14:53 +0000
edit flag offensive 0 remove flag delete link
more

Comments

no, I have no-proxy-arp at the end of the NAT statement

nat (any,outside) source static internal_subnets internal_subnets destination static vpn_pool vpn_pool no-proxy-arp

net_tech's avatar net_tech (2020-03-04 01:27:06 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer