topic ASA5510 - all inside IPs have same MAC address in Network Security

ASA5510 - all inside IPs have same MAC address

Phil Williamson — Mon, 11 Mar 2019 21:31:28 GMT

My customer has a 5510 with the inside interface connected to a routed port on a Cat3560G

When I look at the arp cache on the 5510 all inside IPs have the MAC of the 3560's routed port

Partial output:

asa# sho arp

inside 172.20.1.138 0024.1397.f8c1 1407

inside 172.20.1.104 0024.1397.f8c1 2983

inside 172.20.1.148 0024.1397.f8c1 2995

inside 172.20.1.20 0024.1397.f8c1 3057

inside 172.20.1.130 0024.1397.f8c1 3379

inside 172.20.1.102 0024.1397.f8c1 3592

inside 172.20.1.144 0024.1397.f8c1 3928

---

I cannot see why this is happening.

Suggestions??

Thx

Phil

ASA5510 - all inside IPs have same MAC address

cadet alain — Wed, 28 Sep 2011 15:05:45 GMT

Hi,

Surely the 3560G is doing proxy-arp.

Can you provide sh route from ASA.

Regards.

Alain.

ASA5510 - all inside IPs have same MAC address

Phil Williamson — Wed, 28 Sep 2011 15:20:02 GMT

Alain,

Thanks for your interest. It has me stumped too.

ASA show route with only inside interface routes:

C 1.1.1.0 255.255.255.240 is directly connected, inside

S 172.20.1.0 255.255.255.0 [1/0] via 1.1.1.1, inside

Also from ASA:
show run all | in arp

arp timeout 14400

no sysopt noproxyarp inside

no sysopt noproxyarp outside

no sysopt noproxyarp management

From 3560G:

Gateway of last resort is 1.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.1.1
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/28 is directly connected, GigabitEthernet0/1
L        1.1.1.14/32 is directly connected, GigabitEthernet0/1
      172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.20.1.0/24 is directly connected, Vlan1
L        172.20.1.30/32 is directly connected, Vlan1

C3560G24-1#sh ip int gi 0/1

GigabitEthernet0/1 is up, line protocol is up

Internet address is 1.1.1.14/28

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP Null turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Probe proxy name replies are disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

Input features: MCI Check

Output features: Check hwidb

C3560G24-1#

ASA5510 - all inside IPs have same MAC address

cadet alain — Wed, 28 Sep 2011 17:50:29 GMT

Hi,

can you clear arp cache on ASA and ping one of those addresses again.

Regards.

Alain.

ASA5510 - all inside IPs have same MAC address

Phil Williamson — Wed, 28 Sep 2011 18:45:03 GMT

Alain,

I've done that many times and all IPs come back with same switchport MAC

If I connect to the switch and ping a non-existant IP I get the expected result:

C3560G24-1#sho arp | in 172.20.1.53

Internet 172.20.1.53 0 Incomplete ARPA

C3560G24-1#

If I clear the ASA's arp cache and ping that same IP I GET A PING REPLY which I infer is from the Cat3560 routed port doing the proxy-arp.

As I noted above proxy-arp is enabled on that switchport. I'll turn it off - will be after hours today - and see what happens. I don't like fooling with a live customer network during business hours.

ASA5510 - all inside IPs have same MAC address

cadet alain — Wed, 28 Sep 2011 19:52:38 GMT

Hi,

no need to turn off proxy-arp on the switch.

As you notice here:

ASA

C 1.1.1.0 255.255.255.240 is directly connected, inside

S 172.20.1.0 255.255.255.0 [1/0] via 1.1.1.1, inside

3560G:

Gateway of last resort is 1.1.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 1.1.1.1

You did a typo in your route config on the ASA, you put ip address of ASA as next-hop.

Change it to ip of switch and it will be ok.

Regards.

Alain.

ASA5510 - all inside IPs have same MAC address

Phil Williamson — Thu, 29 Sep 2011 02:38:04 GMT

Alain - Yes, I cannot see the forest for the trees. I've stared at this for a day and could not see the error.

route inside 172.20.1.0 255.255.255.0 1.1.1.14 (not 1.1.1.1) !!!

Now the arp cache looks like it should with currently only the 1.1.1.14 in the cache.

Thanks,

Phil