Citrix Netscalers - PROXY ARP


I also posted this on the cisco security forum and I didn't get any help. Hoping some of you guys might have come accross this same issue with the Citrix Netscalers and a Cisco Firewall:


I'm having a problem with turning off Proxy ARP on the DMZ interface of my firewall. Right now I have 2 DMZ's and i'm trying to turn Proxy ARP off 1 of the interfaces. The reason i'm doing this is that we just recently upgraded our Citrix enivronment with 2 appliances called a Netscaler. The work together and need to communicate with each other so if one fails the other one takes over as the master.

The netscalers are located in my DMZ and communicate with the outside world and the blade servers. Also located in the DMZ are a few other boxes. Mainly my website server and email server. When I turn proxy arp off everything with in the DMZ loses some sort of communication. I have Solarwinds and HPinsight monitoring both of those servers and they lose connection to those devices on the DMZ. They list both nodes as down. Also my website goes down and my email's dont function proply. I can send an email from the Inside world to the outside world (gmail+blackberry) but when I try to send them back it it doesn't get delievered. It ends up getting queued until i turn proxy arp back on and everything gets full connectivity. If i was to guess it sounds like it's mainly the communication with the DMZ to the Inside network.

I'm trying to work with Cisco Tech's but they haven't been helpfull thus far. I've been advised to put the netscalers on a seperate interface from everything else and turn proxy arp off. 1 problem i don't have any more interfaces on teh PIX 515E. All are used up.

Has anybody run into anything like this before. I have a L3 switch on the inside network doing all of my routing. I also have a L2 switch in the DMZ where all of the devices are connected to.

Thanks for your help
Sign In or Register to comment.