Random IPsec/Arp issue?

Solved
anonadmin
Conversationalist

Random IPsec/Arp issue?

Communication from (192.168.100.253) fails to device (192.168.20.99) over IPSec tunnel.

 

Other devices (192.168.20.10) respond no problem.

 

Cisco ISR4331 to MX67

 

Packet capture shows the ICMP request makes it to 192.168.20.99

 

Device 192.168.20.99, sends out ARP broadcast for 192.168.100.253

 

MX gateway does not respond back with ARP reply, as it does not seem to have 192.168.100.253 in it's ARP table.

 

Thus no ICMP reply is generated from device 192.168.20.99.

 

What on earth is going on here? Why is this an issue for this device, but not other devices on the same subnet?

 

Thanks!

 

1 Accepted Solution
Bruce
Kind of a big deal

Assuming these are all /24 subnets the the 192.168.20.99 device shouldn’t be ARPing for 192.168.100.253, it should be ARPing for the gateway address. I’d get the subnet mask and default gateway configuration on 192.168.20.99 checked.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Does 192.168.20.99 have Windows Firewall enabled?  If so, try disabling it temporarily.

anonadmin
Conversationalist

Hey Phil , thanks for the response. This device is an NVR, so it's possible there is some kinda ACL turned on. Unfortunately, i have no access to the device and am working with counter parts in India who do, but they are all asleep at the moment.

 

I did have that thought but the ARP request threw me off. I suppose even if there was some kinda ACL blocking communication on the device it would still attempt to perform an ARP look up after it received an ICMP request ?

Bruce
Kind of a big deal

Assuming these are all /24 subnets the the 192.168.20.99 device shouldn’t be ARPing for 192.168.100.253, it should be ARPing for the gateway address. I’d get the subnet mask and default gateway configuration on 192.168.20.99 checked.

anonadmin
Conversationalist

Yes i believe you are correct. The fact that it's arp'ing for the destination IP of the actual device which is on a different network would seem to indicate that it believes it's self to be on the same network. Will have them check their SM and GW, thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels