The ARP Spoofing Determination Mechanism Causes Automatic Firewall Network Disconnections

Publication Date:  2012-07-16 Views:  147 Downloads:  0
Issue Description
The firewall is deployed at the public network egress. Its work is basically normal. However, the firewall automatically disconnects every 10 minutes. Specifically, the next-hop public address cannot be pinged through from the firewall. A network disconnection lasts for about 6 minutes, and then the network connection resumes. This phenomenon repeats at unfixed intervals.  
Alarm Information
None.
Handling Process
You can resolve this problem by using any of the following methods:
1.          Disable the ARP spoofing defense function on the USG5300.
Upgrade the USG5300 to the V100R002C01SPC007 or later.
Root Cause

1.          The 100 Mbit/s O/E converter is of bad quality. A 100 Mbit/s O/E converter may cause the previous phenomenon if it is connected to a GE interface. In this case, the phenomenon persists after a switch is deployed between the converter and the firewall. Moreover, the next-hop public IP address can be pinged through from the public IP address of the switch during a firewall network disconnection. Therefore, the phenomenon is not caused by the bad quality of the 100 Mbit/s O/E converter.

2.          According to the onsite check, the network connection resumes immediately after the ARP entries are cleared. Therefore, the phenomenon is relevant to ARP. According to the analysis of captured packets, the destination address of the ARP request packets sent by the public network gateway for the first time is the correct broadcast address, and the USG5300 responds to these packet. Then the gateway sends unicast ARP request packets, and the USG5300 does not respond.

The USG5300 does not respond to the unicast ARP packets because it considers these packets as attack packets. 10 minutes later, the network connection breaks because the USG5300 ARP entries have aged. When the gateway sends broadcast ARP packets, the network connection resumes again.
Suggestions
When you encounter an uncommon problem, pay attention to the lower-layer protocol status, for example, physical layer status and link-layer protocols.

END