Bad ARP from dual-NIC Linux

J. Westfall jimbo1@u.washington.edu
Sat Dec 4 05:46:47 1999


I think i can verify this somewhat.  We have a linux (2.2.11) box at my
house that has one eepro100 nic and one 3com nic setup to do ip masq.  On
my freeBSD box i get notices about the static ip on the linux box changing
MAC addresses.  

arp: <ip> moved from 00:a0:c9:49:8a:2c to 00:60:97:df:b7:c7 on fxp0
arp: <ip> moved from 00:a0:c9:49:8a:2c to 00:60:97:df:b7:c7 on fxp0
arp: <ip> moved from 00:60:97:df:b7:c7 to 00:a0:c9:49:8a:2c on fxp0
arp: <ip> moved from 00:a0:c9:49:8a:2c to 00:60:97:df:b7:c7 on fxp0
arp: <ip> moved from 00:a0:c9:49:8a:2c to 00:60:97:df:b7:c7 on fxp0
arp: <ip> moved from 00:a0:c9:49:8a:2c to 00:60:97:df:b7:c7 on fxp0

00:60:97:DF:B7:C7 is the correct MAC for the ip.  I usually get about 15
of these messages a day.  

Jim Westfall

On Fri, 3 Dec 1999, Jim Irving wrote:

> I'm hoping someone can help with a nagging problem that may have
> something to do with my eepro100 cards and drivers. I have a Dell
> PowerEdge 4300 running RedHat Linux 6.0 (2.2 kernel?) with two
> single-port eepro100 NICs. One connects to the Internet side of our
> firewall and one is on our LAN. A gateway/firewall router with two
> Ethernet ports is similarly connected. Our internal IP addresses are
> isolated from the Internet by the router, which performs NAT (net
> address translation) on outgoing requests.
> 
> The problem: Entries appear in the router's ARP table that associate the
> MAC address of the Linux server's LAN-side NIC with the server's
> Internet-side IP address. These entries indicate that it is accessible
> through the router's Internet-side Ethernet interface. This happens for
> both of two IP addresses that the server's Internet-side NIC is set to
> respond to.
> 
> This prevents us from accessing the Linux server's public interface from
> inside our LAN. I can delete the offending ARP entries on the router and
> fix it temporarily, but the bad entries always reappear, typically after
> twenty minutes (the expire time for the router's ARP entries) or so.
> 
> Based on what I know about ARP (not much), the router knows by the
> destination IP address that the ARP request should be issued on its
> Internet-side interface. The request is handled by the Linux server's
> eepro100 driver software, not by Linux in some higher level software. It
> seems that the faulty information might originate either in the router's
> request or in the Linux NIC's response.
> 
> A router tech told me (predictably?) that the problem is on the Linux
> side. I guess I need to do some packet analysis, but I don't have much
> experience or tools for this. Does anyone out there run a similar
> dual-port Linux configuration? Any info about where or how to look for
> the cause would be much appreciated.
> 
> --
> Jim Irving, Manager of Information Technology
> Hornblower Yachts, Inc., San Francisco CA
> jirving@hornblower.com
> 
> 
>