ARP冲突导致内网服务器不能访问的问题

发布时间:  2014-11-10 浏览次数:  738 下载次数:  0
问题描述

组网如上图,其中服务器的ip地址是10.6.0.2,相连的接口是二层接口属于vlan100,vlanif100的ip地址是10.6.0.1。该服务器映射到外网提供访问,然后内网也需要访问该服务器,但是内外网用户访问服务器失败。
告警信息
查看防火墙日志,在日志里面有大量arp冲突告警提示,如下:
%2014-11-10 10:45:38 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:45:33 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:45:28 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:45:22 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:45:17 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:45:12 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:45:07 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:45:02 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:44:57 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!
%2014-11-10 10:44:52 USG2100 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 10.6.0.2 from Vlanif100, source MAC is d4ae-52d3-8062!

但是查看vlan100发现没有10.6.0.2的arp表项如下:

<USG2100>display arp interface Vlanif 100
11:20:17  2014/11/10
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  
                                          VLAN/PVC                       
------------------------------------------------------------------------------
10.6.0.1        04f9-389b-566c            I           Vlanif100
------------------------------------------------------------------------------
Total:1         Dynamic:0       Static:0    Interface:1  
处理过程
        由日志可以看到,设备收到大量来自MAC地址为d4ae-52d3-8062的10.6.0.2的arp冲突提示,查看网络,发现vlan100下面就一个接口,下面只接了一台服务器。而mac地址d4ae-52d3-8062就是该服务器的mac地址。
        怀疑防火墙上有与10.6.0.2相冲突的配置,检查USG2100设备的配置发现有如下配置:

        nat address-group 20 10.6.0.2 10.6.0.10

        nat-policy interzone trust dmz outbound
         policy 0
         action source-nat
         address-group 20

当内网去访问服务器的时候,会转换成10.6.0.2去访问,这个时候会报地址冲突,意识调整nat address-group的范围就好了。如下:

        nat address-group 20 10.6.0.200 10.6.0.210

        nat-policy interzone trust dmz outbound
         policy 0
         action source-nat
         address-group 20

调整之后,arp冲突小时,业务恢复正常。

END