Arp attack from inactive interface with diff ip
Master Member
Many USG Flex 50W 5.35/36 connected via L2 VPN via VTI interface vpn_l2
On device many message about ARP attack from 1 device.
Possible ARP spoofing attack on IP 172.21.164.100. Current hardware address is bc:99:11:a7:7e:cf. But…
Interfaces on problem Flex:
vpn_l3
active: no
intra-link active: no
physical port: P2
description:
type: external
IP type: static
IP address: 192.168.64.100
netmask: 255.255.255.0
gateway: 192.168.64.99
current MAC address: BC:99:11:A7:7E:CF
use custom MAC address: no
custom MAC address: 00:00:00:00:00:00
default MAC address: BC:99:11:A7:7E:CF
virtual MAC address: 00:00:00:00:00:00
metric: 0
unicast: off
igmp active: yes
igmp direction: upstream
igmp version: IGMPv2
upstream: 102400
downstream: 102400
mtu: 1500
mss: 0
dhcp option 60:
tcp-ack traffic prioritize:
active : yes
bandwidth : 1048576
priority : 1
maximize-bandwidth-usage : yes
vpn_l2
active: yes
intra-link active: no
physical port: P3
description:
type: internal
IP type: static
IP address: 172.21.164.100
netmask: 255.255.0.0
gateway:
current MAC address: BC:99:11:A7:7E:D0
use custom MAC address: no
custom MAC address: 00:00:00:00:00:00
default MAC address: BC:99:11:A7:7E:D0
virtual MAC address: 00:00:00:00:00:00
metric: 0
unicast: off
igmp active: no
igmp direction: downstream
igmp version: IGMPv2
upstream: 102400
downstream: 102400
mtu: 1500
mss: 0
dhcp option 60:
tcp-ack traffic prioritize:
active : yes
bandwidth : 1048576
priority : 1
maximize-bandwidth-usage : yes
Why devices got messages about ARP from interface with mac, that: disabled, not visible to them.
All Replies
-
Hi @alexey
Thanks for your inquiry.
Could you share the screenshots of the ARP attack Monitor Log message with us?
Are VPN_I2 and vpn_l3 all Zyxel firewall devices?
Do you configure the connectivity check on this VPN tunnel on both sites?
Thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
Hi.
1 i can't share screenshot, i can share messages about ARP attack from central syslog server
2 All Zyxell firewall devices. vpn_l3 & vpn_l2 interfaces on problem ZW device. All devices connected via vpn_l2 interface, its ISP L2 VPN. In logs, ARP goes from vpn_l3 mac, that disabled & don't connect to other ZW.
3 Yes, VTI interface has configured CC. Each VTI has own /30 subnet.
0 -
Hi @alexey
Many thanks for your update and share. Could you provide a remote Web-GUI link to us for further checking? We will send a private message to you later, please check your private message inbox, thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
The problem on same device and diff interface.
Message from syslog server:
src="0.0.0.0:0" dst="0.0.0.0:0" msg="An ip address conflict is detected. bc:99:11:a7:7e:d3 and bc:99:11:a7:7e:d0 share the same IP address 10.0.1.64" note="" user="unknown" devID="d8ece5c45727" cat="System"
show interface all
1 ge1 Inactive 0.0.0.0 0.0.0.0 DHCP client
2 sfp Inactive 0.0.0.0 0.0.0.0 DHCP client
3 ge2 1000M/Full 10.0.1.64 255.255.255.0 Static
4 local 1000M/Full 172.20.64.1 255.255.255.0 Static
5 dmz Inactive 0.0.0.0 0.0.0.0 Static
6 ge3 100M/Full 10.0.0.64 255.255.255.0 Static
7 cellular1 Connected 192.168.8.100 255.255.255.255 Dynamic
8 vti1 Up 10.1.2.46 255.255.255.252 Static
9 vti3 Up 10.2.2.46 255.255.255.252 Static
10 vti4 Up 10.3.2.46 255.255.255.252 Static
11 vti0 Up 10.1.1.46 255.255.255.252 Static
12 vti2 Up 10.2.1.46 255.255.255.252 Static
13 vti5 Up 10.3.1.46 255.255.255.252 Staticshow interface ge2
active: yes
intra-link active: no
interface name: ge2
physical port: P3
description:
type: internal
IP type: static
IP address: 10.0.1.64
netmask: 255.255.255.0
gateway:
current MAC address: BC:99:11:A7:7E:D0
use custom MAC address: no
custom MAC address: 00:00:00:00:00:00
default MAC address: BC:99:11:A7:7E:D0
virtual MAC address: 00:00:00:00:00:00
metric: 0
unicast: off
igmp active: no
igmp direction: downstream
igmp version: IGMPv2
upstream: 102400
downstream: 102400
mtu: 1500
mss: 0
dhcp option 60:
tcp-ack traffic prioritize:
active : yes
bandwidth : 1048576
priority : 1
maximize-bandwidth-usage : yesshow interface ge3
active: yes
intra-link active: no
interface name: ge3
physical port: P6
description:
type: internal
IP type: static
IP address: 10.0.0.64
netmask: 255.255.255.0
gateway:
current MAC address: BC:99:11:A7:7E:D3
use custom MAC address: no
custom MAC address: 00:00:00:00:00:00
default MAC address: BC:99:11:A7:7E:D3
virtual MAC address: 00:00:00:00:00:00
metric: 0
unicast: off
igmp active: no
igmp direction: downstream
igmp version: IGMPv2
upstream: 1048576
downstream: 1048576
mtu: 1500
mss: 0
dhcp option 60:
tcp-ack traffic prioritize:
active : yes
bandwidth : 1048576
priority : 1
maximize-bandwidth-usage : yes@Zyxel_Jeff both interfaces are internal. CC can't be configured.
0 -
Hi @alexey
Could you enable Nebula Zyxel support for us and tell us your org and site name by private message? Thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
We don't use Nebula features.
0 -
Dear @alexey
Please apologize for my misunderstanding, the CC that you mentioned means connectivity check, not Nebula Controller Center. The ARP attack could be caused by a connectivity check because the remote peer VPN site's connectivity check packets and those packets were detected by the USG Flex 50W. Could you disable connectivity check features on USG50W and the peer site device to see whether ARP attack messages would be shown? If the symptom still occurs, please share your device's Web-GUI link with us for further checking. Thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
My bad. I forgot that CC can be enabled on internal interfaces, and it status not displayed via show interface command. I disabled CC on interfaces and still wait new error messages.
1 -
Hi @alexey
OK, got it. Thanks for your update.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
Not help. I disable CC on ge2 & 3 interface
show connectivity-check status
Interface Status Fail Countcellular1 Ok 0
vti1 Ok 0
vti3 Failed 2
vti4 Ok 0
vti0 Ok 0
vti2 Ok 0
vti5 Ok 0VTI interface, that build via this interface ge2 in failed status.
Also change error message
Possible ARP spoofing attack on IP 10.0.1.64.
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
