Ping and ARP problem

Clouseau

Hello,

I have some kind of routing problem here. I try to ping device 10.0.0.20 from network 10.0.1.0/24, but I get no pacets back.
Tunnel is working fine and all traffic is enabled thou tunnel and static routings are defined in both ends. netstat show that routing information is correct and available.

Do I have some kind of policy routing problem or what? I just can't figure this out. This issue occurs only with one device witch has ip&gw settings done correctly.

IPSEC
(ipsec tunnel  10.0.0.0/24 === 10.0.1.0/24 )

PING from 10.0.1.11 to 10.0.0.20

–------------------------------------------------------------------------------------
Pinging 10.0.0.11 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.0.0.20:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Pacet capture taken from remote 10.0.0.1 LAN GW interface:
14:57:28.319446 IP 10.0.1.11 > 10.0.0.20: ICMP echo request, id 1, seq 133, length 40
14:57:28.869456 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:29.869130 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:30.868659 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:31.878148 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:32.877579 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:33.877126 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:41.319446 IP 10.0.1.111 > 10.0.0.20: ICMP echo request, id 1, seq 134, length 40
14:57:41.323759 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:42.323278 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:43.323053 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:46.036351 IP 10.0.1.111 > 10.0.0.20: ICMP echo request, id 1, seq 135, length 40
14:57:46.041591 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:47.041339 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46
14:57:48.040705 ARP, Request who-has 10.0.1.11 tell 10.0.0.20, length 46

$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            123.123.123.123    UGS        0 96721269    re0
10.0.0.0/24        link#3            U          0 193351451    re2
10.0.0.1          link#3            UHS        0        0    lo0
10.0.1.0/24        10.0.0.1          US          0 21121630    re2
10.0.1.1          10.0.0.1          UHS        0 10383014    re2

phil.davis

There is a bit of weird stuff there with 10.0.1.11 vs 10.0.1.111 - don't know what is going on with that.

14:57:46.036351 IP 10.0.1.111 > 10.0.0.20: ICMP echo request, id 1, seq 135, length 40
14:57:46.041591 ARP, Request who-has 10.0.1.111 tell 10.0.0.20, length 46
14:57:47.041339 ARP, Request who-has 10.0.1.111 tell 10.0.0.20, length 46
14:57:48.040705 ARP, Request who-has 10.0.1.111 tell 10.0.0.20, length 46

Why is 10.0.0.20 trying to ARP to find 10.0.1.111 - they are supposed to be in separate subnets and so 10.0.0.20 should be sending the echo reply straight back to its default gateway/router.
Check the netmask/CIDR on 10.0.0.20 - maybe it has /16 or something odd.

Clouseau

Sorry about wrong IP 10.0.1.111, it is 10.0.1.11 (bad copy paste/edit) :o

They are in separate subnets and nesmask/CIDR has been triblechecked that both has 24 bit mask. I'm asking this because I have this sympthom in two different sites with similar configuration - two sites connected with ipsec-vpn. All "other" devices (windows PC, printers, laptops, FreeNAS etc..) has no problems with ping and other network functions but this one specific device does this.

I can't figure out  why 10.0.0.20 does not send the echo reply straight back to its default gateway! This is so weird

Device IP settings:
      *** Using DHCP ***
    IP Address: 10.0.0.20
      Gateway: 10.0.0.1
      Netmask: 255.255.255.0
    HW Address: 00:11:CE:4C:69:8B

@phil.davis:

There is a bit of weird stuff there with 10.0.1.11 vs 10.0.1.111 - don't know what is going on with that.

Why is 10.0.0.20 trying to ARP to find 10.0.1.11 - they are supposed to be in separate subnets and so 10.0.0.20 should be sending the echo reply straight back to its default gateway/router.
Check the netmask/CIDR on 10.0.0.20 - maybe it has /16 or something odd.

phil.davis

It really does look like 10.0.0.20 thinks that 10.0.1.11 is in the same subnet - those ARP requests are issued every second trying to find the MAC address of 10.0.1.11
Usually this sort of thing is a wrong netmask on the client or a firewall on the client that accepts ping on the local subnet but does not accept ping from outside the subnet (Windows will do that without being asked).
Turn off any firewall on 10.0.0.20
Stare really hard at ipconfig/all (Windows) or ifconfig (*nix) and see what odd network setting it has got from somewhere.