Sophos Firewall – Resolving ARP problem after firewall migration
When changing a firewall configuration, it can happen in rare cases that some alias IP addresses no longer respond to ICMP requests (ping), while other alias addresses remain pingable. This phenomenon occurs particularly frequently if the MAC address of the firewall changes as a result of the conversion.
A typical configuration in modern networks includes multiple alias IP addresses on a single WAN interface. These alias addresses are often used to manage different services from a single physical interface. When changing firewalls, e.g. from another manufacturer to a Sophos Firewall or even when changing a hardware model within the Sophos ecosystem, the MAC address of the external interface often changes. This change can lead to problems in the ARP table (Address Resolution Protocol) of neighboring routers or switches, which assign the alias IP addresses to the old MAC addresses and do not update them automatically.
Topics
The technology behind the problem
The ARP protocol is responsible for resolving IP addresses into MAC addresses. When a host wants to contact an IP address in the network, it sends an ARP request to determine the associated MAC address. The ARP cache stores these assignments temporarily to reduce the network load and speed up the resolution. However, if the MAC address of a firewall changes while the IP address remains the same, conflicts may arise as neighboring devices may still try to associate the IP addresses with the old MAC address.
In such a situation, it is possible that some IP addresses are still pingable while others do not respond. This is because the ARP table on the neighboring devices has correctly updated the mapping for certain IP addresses, while it still contains outdated information for other IP addresses.
ARP ping to update the ARP table
To resolve this issue, you can run a specific command on the Sophos Firewall via SSH that allows you to perform a manual ARP ping for each alias IP address. This command will force the firewall to initiate an ARP request from the affected alias IP address, which will update the ARP table on the neighboring devices.
system diagnostics utilities arp ping source <Alias-IP-address> interface <Interface-Name> <Destination-IP-address>
Assume that one of the non-pingable alias IP addresses is 212.60.60.124
and it is configured on the interface Port7.27
.
The command to update the ARP table for this address is:
system diagnostics utilities arp ping source 212.60.60.120 interface Port7.27 212.60.60.124
This command sends an ARP request from the alias IP address 212.60.60.124
to itself via the interface Port7.27
.
This forces all neighboring devices to update their ARP tables with the correct MAC address for this IP.
Step-by-step troubleshooting guide:
- Connect to the Sophos Firewall via SSH:
First, an SSH connection to the firewall is established. You can use a tool such as PuTTY or the integrated SSH console to do this. - Identify non-pingable alias IP addresses:
The next step is to check which alias IP addresses on the WAN interface are not pingable. - Execute ARP ping command:
The ARP ping command mentioned above is executed for each non-pingable alias IP address. Care must be taken to use the specific alias IP address and the associated interface correctly. - Check results:
After the command has been executed, it is checked whether the previously non-pingable alias IP addresses now respond to ping requests. - Restart network devices (if necessary):
In some cases, it may be helpful to restart adjacent network devices such as routers or switches to ensure that the ARP tables are fully updated.