Ask Your Question
0

ARP responses for non existing hosts

asked 2020-03-03 15:54:07 +0000

net_tech gravatar image

updated 2020-03-03 16:13:15 +0000

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the network scan tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

Running the same scan from any of the systems on 192.168.50.0 network LOCALLY shows live hosts only. Also If we run a scan across VLAN (FirePower is a default gateway) we get responses ONLY from live hosts. It seems that the only way to reproduce this behavior where we see responses from DEAD hosts is to scan across the VPN tunnel.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

pcapng_file

edit retag flag offensive close merge delete

Comments

What do the interface list and route table show on the VPN client when the VPN is active?

Chuckc gravatar imageChuckc ( 2020-03-04 06:29:38 +0000 )edit

Interface List

 22...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
  8...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN50

 10...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN8

 17...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN6

 21...60 57 18 c0 97 d0 ......Microsoft Wi-Fi Direct Virtual Adapter #2

 12...62 57 18 c0 97 cf ......Microsoft Wi-Fi Direct Virtual Adapter #3

  6...00 ff 3c fc 7d a7 ......TAP-Windows Adapter V9

 14...60 57 18 c0 97 cf ......Intel(R) Dual Band Wireless-AC 7265

  1...........................Software Loopback Interface 1
net_tech gravatar imagenet_tech ( 2020-03-04 12:05:59 +0000 )edit

IPv4 Route Table

Active Routes:

Network Destination Netmask             Gateway         Interface       Metric

0.0.0.0             0.0.0.0             192.168.20.254  192.168.20.122  50
10.1.1.0            255.255.255.0       10.1.20.1       10.1.20.11      2
10.1.1.50           255.255.255.255     10.1.20.1       10.1.20.11      2
10.1.20.0           255.255.255.0       On-link         10.1.20.11      257
10.1.20.11          255.255.255.255     On-link         10.1.20.11      257
10.1.20.255         255.255.255.255     On-link         10.1.20.11      257
10.1.31.0           255.255.255.0       10.1.20.1       10.1.20.11      2
76.185.167.85       255.255.255.255     192.168.20.254  192.168.20.122  51
127.0.0.0           255.0.0.0           On-link         127.0.0 ...
(more)
net_tech gravatar imagenet_tech ( 2020-03-04 12:08:51 +0000 )edit

Was the capture done external to the VPN client?
Based on the route entry 192.168.50.0 255.255.255.0 10.1.20.1 10.1.20.11 2 I would have expected the ARP to be for 10.1.20.1 not the 192.168.50.50 in the pcap.

Since the ARP is coming from the Cisco AnyConnect interface (00 05 9a 3c 7a 00) and the response is from the VPN interface (00:11:22:33:44:55) maybe its a question for https://community.cisco.com/

Chuckc gravatar imageChuckc ( 2020-03-04 14:58:58 +0000 )edit

The capture was done on the VPN client.

I only included 2 packets in the attached capture, but the full capture has ARPs from all 192.168.50.0/24 IPs

There shouldn't have been an ARP from 192.168.50.50 as there is no host at that IP

net_tech gravatar imagenet_tech ( 2020-03-04 16:09:26 +0000 )edit
see more comments

2 Answers

Sort by ยป oldest newest most voted
2

answered 2020-03-06 20:03:20 +0000

Eddi gravatar image

Are you sure that the ARP responses really came in through the VPN tunnel? In other words: Is it possible, that a VPN driver injected the ARP packets?

I would expect, that the VPN software would use at least a 30 bit netmask, maybe longer. Also I hope, that your VPN does not try to emulate a broadcast-network over the link.

edit flag offensive delete link more

Comments

Eddi,

I think you are on to something. Based on your comment I started captures on the Firewall itself and VPN client while running another port scan. ARPs don't seem to be going over the tunnel. The ARP responses I am seeing on the client side may indeed be injected or generated by the AnyConnect VPN adapter itself.

Thanks

net_tech gravatar imagenet_tech ( 2020-03-06 23:04:48 +0000 )edit
add a comment
1

answered 2020-03-03 16:14:53 +0000

Packet_vlad gravatar image

Maybe Proxy ARP is on?

edit flag offensive delete link more

Comments

no, I have no-proxy-arp at the end of the NAT statement

nat (any,outside) source static internal_subnets internal_subnets destination static vpn_pool vpn_pool no-proxy-arp

net_tech gravatar imagenet_tech ( 2020-03-04 01:27:06 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-03-03 15:54:07 +0000

Seen: 1,566 times

Last updated: Mar 06 '20

Related questions

Monitoring UDP data on wireshark shows ARP packet

Gateway keeps flooding the network with arp requests

display ARP and ICMP only

Is this source malicious?

Target Machine keeps losing connectivity when running a arpspoof/ettercat against it

tshark packet data not displaying

Protocol Hierarchy to analyze

ARP protocol in Handover

ARP Delay when pinging a local machine

graph for arps per second