4 Replies Latest reply on Sep 27, 2011 3:21 PM by hernan.fernandez

    VPN / ARP problem

      Hi there:



      I have a problem with the VPN configuration in my enterprise firewall 8.0.1.



      I have configured the VPN concentrator and vpn client (Shrew soft) following this instructions. https://kc.mcafee.com/corporate/index?page=content&id=KB67215&pmv=print. The VPN client connect successfully, the user and password are validated fine, also the remote certificate password, and I get an ip address and dns sucessfully also.



      The landing burb for vpn users is the internal zone, but after establish the vpn session, I'm just able to ping the internal interface of the firewall, I cannot ping another computers inside of the internal burb (in the same internal zone).



      I have discovered that a ping made from my vpn client computer arrive to the others hosts in the internal burb, but their don't know how get back.



      The problem is solved when I set with arp the HW address of the internal interface of the firewall with the IP of my vpn client, in the computer inside of the internal zone.



      arp -s vpn_client_ip_address  firewall_internal_int_mac_address 





      Any ideas? how can solve the problem without this manual setting?







      El mensaje fue editado por: hernan.fernandez on 27/09/11 9:32:17 CDT
        • 1. Re: VPN / ARP problem



          It seems like you are running into a routing problem. I am making an assumption that the devices behind the firewall do not have their default gateway set to the firewall? If they did, then you would probably not have this problem.


          Without chaning routing on the clients behind the firewall, I dont know how you are going to get around this problem.


          Hope this helps,



          • 2. Re: VPN / ARP problem

            Hi Mtuma, thanks for the anwser, I think the same, but I cannot find the exact problem. Here is more information about the configuration that I have




            interface 1-0 external / 29

            interface 1-1 Internal / 24


            VPN network

   / 29



            computer connected to 1-0 

            IP (this is the vpn client)




            the default route is ( internet router), If I set the computer connected to 1-0 with the GW still not working.



            computer connected to 1-1




            this computer cannot see my vpn client once is connected. and I have to set here an arp. by example

            arp -s MAC_ADDR_OF_INTERFACE 1-1




            thanks a lot for your help

            • 3. Re: VPN / ARP problem

              You have to add the ARP entry because the VPN network ( is in the same network as your PC (  Your PC cannot ARP for these addresses because they are not 'really' there on the network (they're on the other side of the VPN and ARPs are not propogated over a VPN).


              There is nothing you can do on the firewall to 'fix' this the way it is setup right now.  You must add ARP entries to point back to the firewall.


              If you were to make the VPN network (which is outside the network of your PC), your PC would send this traffic back to its default route (the firewall) with no ARP entries.  Or, if you made the mask on your PC smaller so that this current VPN network is no longer in the network of your PC, your PC would send this traffic back to its default route, the firewall.

              • 4. Re: VPN / ARP problem

                It's working.... thanks a lot  :-)

                local and virtual subnets where changed to and