topic Re: Cisco ASA gratuitous ARP in Network Security

Cisco ASA gratuitous ARP

lucas_kaczmarski — Fri, 21 Feb 2020 16:05:27 GMT

Hello,

Does anyone know how to force Cisco ASA to send GARP for NATed IPs? I'm using proxy arp and the ARP entries on the upstream device do not refresh after I change failover MAC address. The only way to fix this is to clear ARP on the upstream device or wait till the timeout expires. I also tried failing over the ASAs, but that doesn't help either.

Is there a way to force ASA to send out GARPs at all for nated IPs?

On the upstream device e0:5f:b9:7c:7d:33 is the new MAC address of the ASAs outside (failover) interface and that updated immediately, but the ones for proxy-arp remain unchanged at e0:5f:b9:7c:7d:3c.

root> show arp
MAC Address Address Name Interface Flags
e0:5f:b9:7c:7d:3c 55.55.55.10 55.55.55.10 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.11 55.55.55.11 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.13 55.55.55.13 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.14 55.55.55.14 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.16 55.55.55.16 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.21 55.55.55.21 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.250 55.55.55.250 ge-0/0/0.0 none
e0:5f:b9:7c:7d:33 55.55.55.254 55.55.55.254 ge-0/0/0.0 none
Total entries: 8

root> ping 55.55.55.10
PING 55.55.55.10 (55.55.55.10): 56 data bytes
^C
--- 55.55.55.10 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Thanks,

Lucas

Re: Cisco ASA gratuitous ARP

Jerome BERTHIER — Fri, 10 Aug 2018 12:14:57 GMT

GARP is the default behavior with NAT :

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

Each interface is configured per default to post GARP (negation of noproxyarp).

You can verify with : sh run all | i proxyarp

Here an example :

vpn/pri/act# sh run all | i proxyarp
no sysopt noproxyarp outside
no sysopt noproxyarp dmz
no sysopt noproxyarp management

Regards

Re: Cisco ASA gratuitous ARP

lucas_kaczmarski — Fri, 10 Aug 2018 12:33:22 GMT

The ASA responds to ARP for NATed IPs and that is correct and expected, but it seems that when I change the virtual MAC address of the ASA the GARP updates are not sent for NATed IPs.

It's not the intial ARP request that is the problem (that I can achieve by clearing ARP cache on the upstream device), but the GARP update for the existing ARP entry which is not sent it seems.

Is this expected behaviour? I pasted relevenat info in my original post.

Thanks

Re: Cisco ASA gratuitous ARP

Jerome BERTHIER — Fri, 10 Aug 2018 12:34:59 GMT

Sorry I misunderstood your request.

This is documented :

"If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow. The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1079460%0A

You have to fix virtual mac adresses on failover node in order to keep only those of primary node :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1097271%0A

Regards

Jérôme

Re: Cisco ASA gratuitous ARP

lucas_kaczmarski — Fri, 10 Aug 2018 12:47:58 GMT

Nice one, thanks.

Re: Cisco ASA gratuitous ARP

cesarami — Tue, 25 Feb 2020 15:22:23 GMT

You could force a Gratuitous ARP in ASA with the following debug command:

debug menu ipaddrutl 6 <IP>

Example:

#debug menu ipaddrutl 6 1.1.1.1

Gratuitous ARP sent for 1.1.1.1

Re: Cisco ASA gratuitous ARP

markwaltersccie — Thu, 24 Jun 2021 16:14:11 GMT

Stellar answer! Worked for me on FTD code from CLI.