https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775190#M494436 <P>We have an ESX server will multiple virtual servers defined. I am trying to migrate the default gateway IP address (.1) from a 3900 router to an ASA firewall. When the default gateway is assigned to the 3900 there are no issues. Shortly after moving the default gateway to the ASA, the virtual server will report a duplicate IP address. The offending mac address is the interface of the ASA firewall. The network to be moved is a class C. There are only 4 hosts on the network. This leaves many other IP addresses to test with all of which have never been used. When the virtual server is configured for a new, never before used IP address, the server will report a duplicate IP address and the ASA mac address is listed for the duplicate mac. </P><P></P><P>I have moved other networks from the 3900 to ASA without issue. To the best of my knowledge the only difference is how the ESX server attaches the virtual server/IP address to a NIC. The ESX server has five network interfaces: 1 ilo, 2 management and 2 production. The IP addresses and networks associated with ilo and mgmt are working without trouble. The virtual servers using the production interfaces are having trouble when the default gateway is the ASA firewall.</P><P></P><P>The switch configuration for the ilo and management interface is defined as an access switchport. The production interfaces are each defined as a trunk and allows two networks on the trunk.</P><P></P><P>I can’t help but think the issue is with the relationship between the switch trunks and the ESX server. The trunk interfaces operate independently. The have not been teamed together (LACP). Do the 3900 router and ASA handle arp differently thus expose a problem that’s been there all along?</P><P></P><P>ASA Firewall</P><P>ASA Version 8.2(5)13</P><P>interface GigabitEthernet0/2</P><P> description 4948 g1/22</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/2.82</P><P> description esx production VM servers</P><P> shutdown</P><P> vlan 82</P><P> nameif esx_prod</P><P> security-level 70</P><P> ip address 192.168.82.1 255.255.255.0</P><P>!</P><P>access-list esx_prod_in extended permit ip any any</P><P>global (outside) 1 interface</P><P>nat (esx_prod) 1 192.168.82.0 255.255.255.0</P><P>static (inside,esx_prod) 192.168.0.0 192.168.0.0 netmask 255.255.0.0</P><P>static (inside,esx_prod) 172.16.0.0 172.16.0.0 netmask 255.240.0.0</P><P>access-group esx_prod_in in interface esx_prod</P><P></P><P>Switch</P><P>interface GigabitEthernet1/1</P><P> description ESX server production</P><P> switchport trunk encapsulation dot1q</P><P> switchport trunk allowed vlan 82,193</P><P> switchport mode trunk</P><P></P><P>Router</P><P>interface GigabitEthernet0/0.82</P><P> description esx production VM servers</P><P> encapsulation dot1Q 82</P><P> ip address 192.168.82.1 255.255.255.0</P><P> ip pim sparse-dense-mode</P><P> ip cgmp</P><P>end</P> Mon, 11 Mar 2019 21:44:40 GMT rmeans 2019-03-11T21:44:40Z https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775190#M494436 <P>We have an ESX server will multiple virtual servers defined. I am trying to migrate the default gateway IP address (.1) from a 3900 router to an ASA firewall. When the default gateway is assigned to the 3900 there are no issues. Shortly after moving the default gateway to the ASA, the virtual server will report a duplicate IP address. The offending mac address is the interface of the ASA firewall. The network to be moved is a class C. There are only 4 hosts on the network. This leaves many other IP addresses to test with all of which have never been used. When the virtual server is configured for a new, never before used IP address, the server will report a duplicate IP address and the ASA mac address is listed for the duplicate mac. </P><P></P><P>I have moved other networks from the 3900 to ASA without issue. To the best of my knowledge the only difference is how the ESX server attaches the virtual server/IP address to a NIC. The ESX server has five network interfaces: 1 ilo, 2 management and 2 production. The IP addresses and networks associated with ilo and mgmt are working without trouble. The virtual servers using the production interfaces are having trouble when the default gateway is the ASA firewall.</P><P></P><P>The switch configuration for the ilo and management interface is defined as an access switchport. The production interfaces are each defined as a trunk and allows two networks on the trunk.</P><P></P><P>I can’t help but think the issue is with the relationship between the switch trunks and the ESX server. The trunk interfaces operate independently. The have not been teamed together (LACP). Do the 3900 router and ASA handle arp differently thus expose a problem that’s been there all along?</P><P></P><P>ASA Firewall</P><P>ASA Version 8.2(5)13</P><P>interface GigabitEthernet0/2</P><P> description 4948 g1/22</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/2.82</P><P> description esx production VM servers</P><P> shutdown</P><P> vlan 82</P><P> nameif esx_prod</P><P> security-level 70</P><P> ip address 192.168.82.1 255.255.255.0</P><P>!</P><P>access-list esx_prod_in extended permit ip any any</P><P>global (outside) 1 interface</P><P>nat (esx_prod) 1 192.168.82.0 255.255.255.0</P><P>static (inside,esx_prod) 192.168.0.0 192.168.0.0 netmask 255.255.0.0</P><P>static (inside,esx_prod) 172.16.0.0 172.16.0.0 netmask 255.240.0.0</P><P>access-group esx_prod_in in interface esx_prod</P><P></P><P>Switch</P><P>interface GigabitEthernet1/1</P><P> description ESX server production</P><P> switchport trunk encapsulation dot1q</P><P> switchport trunk allowed vlan 82,193</P><P> switchport mode trunk</P><P></P><P>Router</P><P>interface GigabitEthernet0/0.82</P><P> description esx production VM servers</P><P> encapsulation dot1Q 82</P><P> ip address 192.168.82.1 255.255.255.0</P><P> ip pim sparse-dense-mode</P><P> ip cgmp</P><P>end</P> Mon, 11 Mar 2019 21:44:40 GMT https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775190#M494436 rmeans 2019-03-11T21:44:40Z https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775191#M494437 <HTML><HEAD></HEAD><BODY><P>I am continuing to research.&nbsp; I suspect proxy arp may be the issue.&nbsp; I plan to disable and test shortly.</P></BODY></HTML> Mon, 31 Oct 2011 19:47:55 GMT https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775191#M494437 rmeans 2011-10-31T19:47:55Z https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775192#M494440 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P></P><P>Yup, you got it. The issue is proxy arp. The only way that the ASA is going to answer an ARP request is if there proxyarp feature is enable. </P><P></P><P>Now, it is enable by default, and what causes the ASA to answer the solicited ARP requests is NAT configuration. On which interface of the firewall is the Server located? What is the subnet that the ASA is responding to? </P><P></P><P>Mike </P></BODY></HTML> Mon, 31 Oct 2011 22:15:44 GMT https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775192#M494440 Maykol Rojas 2011-10-31T22:15:44Z https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775193#M494443 <HTML><HEAD></HEAD><BODY><P>Disabling proxy arp worked (sysopt noproxyarp <INTERFACE>).</INTERFACE></P></BODY></HTML> Tue, 01 Nov 2011 10:51:29 GMT https://community.cisco.com/t5/network-security/duplicate-ip-address-with-asa-interface-mac-address/m-p/1775193#M494443 rmeans 2011-11-01T10:51:29Z