Revision history [back]

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

C:\fakepath\arp.pcapng

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

C:\fakepath\arp.pcapngpcapng_file

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned. Running the same scan from any of the systems on 192.168.50.0 network shows live hosts only.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

pcapng_file

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned. Running the same scan from any of the systems on 192.168.50.0 network shows live hosts only. Also If we run a scan across VLAN (FirePower is a default gateway) we get responses ONLY from live hosts. It seems that the only way to reproduce this behavior where we see responses from DEAD hosts is to scan across the VPN tunnel.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

pcapng_file

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the network scan tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned. Running the same scan from any of the systems on 192.168.50.0 network shows live hosts only. Also If we run a scan across VLAN (FirePower is a default gateway) we get responses ONLY from live hosts. It seems that the only way to reproduce this behavior where we see responses from DEAD hosts is to scan across the VPN tunnel.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

pcapng_file

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the network scan tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned. scanned.

Running the same scan from any of the systems on 192.168.50.0 network LOCALLY shows live hosts only. Also If we run a scan across VLAN (FirePower is a default gateway) we get responses ONLY from live hosts. It seems that the only way to reproduce this behavior where we see responses from DEAD hosts is to scan across the VPN tunnel.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

pcapng_file

Hi,

Wondering if anyone would have an explanation for what we are seeing in the network scan results. We recently replaced our aging firewall with a Cisco FirePower. Older firewall didn't exhibit this behavior.

So here is what's happening.

If we run a network scan (using Advanced Port Scanner tool) WHILE connected to the network via VPN we are seeing 256 live hosts, while there is only a handful of live hosts. Wireshark capture on the VPN interface reveals that the network scan tool is sending out ARP broadcasts and getting ARP responses for every single IP of the subnet being scanned.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

Running the same scan from any of the systems on 192.168.50.0 network LOCALLY shows live hosts only. Also If we run a scan across VLAN (FirePower is a default gateway) we get responses ONLY from live hosts. It seems that the only way to reproduce this behavior where we see responses from DEAD hosts is to scan across the VPN tunnel.

What's interesting is that all ARP responses come from the 00:11:22:33:44:55 MAC address assigned to the VPN interface of the FirePower.

VPN Pool 10.1.20.0/24 VPN Gateway 10.1.20.1 Subnet Being Scanned: 192.168.50.0/24

Would greatly appreciate if someone could comment on this behavior

pcapng_file