Ask Your Question

ARP responses for non existing hosts

asked 2020-03-03 15:54:07 +0000

net_tech gravatar image

updated 2020-03-03 16:13:15 +0000


Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the network scan tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

Running the same scan from any of the systems on network LOCALLY shows live hosts only. Also If we run a scan across VLAN (FirePower is a default gateway) we get responses ONLY from live hosts. It seems that the only way to reproduce this behavior where we see responses from DEAD hosts is to scan across the VPN tunnel.

VPN Pool VPN Gateway Subnet Being Scanned:

Would greatly appreciate if someone could comment on this behavior


edit retag flag offensive close merge delete


What do the interface list and route table show on the VPN client when the VPN is active?

Chuckc gravatar imageChuckc ( 2020-03-04 06:29:38 +0000 )edit

Interface List

 22...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
  8...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN50

 10...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN8

 17...54 ee 75 48 16 71 ......Intel(R) Ethernet Connection (3) I218-V - VLAN : VLAN6

 21...60 57 18 c0 97 d0 ......Microsoft Wi-Fi Direct Virtual Adapter #2

 12...62 57 18 c0 97 cf ......Microsoft Wi-Fi Direct Virtual Adapter #3

  6...00 ff 3c fc 7d a7 ......TAP-Windows Adapter V9

 14...60 57 18 c0 97 cf ......Intel(R) Dual Band Wireless-AC 7265

  1...........................Software Loopback Interface 1
net_tech gravatar imagenet_tech ( 2020-03-04 12:05:59 +0000 )edit

IPv4 Route Table

Active Routes:

Network Destination Netmask             Gateway         Interface       Metric        50        2       2        On-link      257     On-link      257     On-link      257       2  51            On-link         127.0.0 ...
net_tech gravatar imagenet_tech ( 2020-03-04 12:08:51 +0000 )edit

Was the capture done external to the VPN client?
Based on the route entry 2 I would have expected the ARP to be for not the in the pcap.

Since the ARP is coming from the Cisco AnyConnect interface (00 05 9a 3c 7a 00) and the response is from the VPN interface (00:11:22:33:44:55) maybe its a question for

Chuckc gravatar imageChuckc ( 2020-03-04 14:58:58 +0000 )edit

The capture was done on the VPN client.

I only included 2 packets in the attached capture, but the full capture has ARPs from all IPs

There shouldn't have been an ARP from as there is no host at that IP

net_tech gravatar imagenet_tech ( 2020-03-04 16:09:26 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2020-03-06 20:03:20 +0000

Eddi gravatar image

Are you sure that the ARP responses really came in through the VPN tunnel? In other words: Is it possible, that a VPN driver injected the ARP packets?

I would expect, that the VPN software would use at least a 30 bit netmask, maybe longer. Also I hope, that your VPN does not try to emulate a broadcast-network over the link.

edit flag offensive delete link more



I think you are on to something. Based on your comment I started captures on the Firewall itself and VPN client while running another port scan. ARPs don't seem to be going over the tunnel. The ARP responses I am seeing on the client side may indeed be injected or generated by the AnyConnect VPN adapter itself.


net_tech gravatar imagenet_tech ( 2020-03-06 23:04:48 +0000 )edit

answered 2020-03-03 16:14:53 +0000

Maybe Proxy ARP is on?

edit flag offensive delete link more


no, I have no-proxy-arp at the end of the NAT statement

nat (any,outside) source static internal_subnets internal_subnets destination static vpn_pool vpn_pool no-proxy-arp

net_tech gravatar imagenet_tech ( 2020-03-04 01:27:06 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-03-03 15:54:07 +0000

Seen: 144 times

Last updated: Mar 06