cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15228
Views
15
Helpful
6
Replies

Cisco ASA gratuitous ARP

Hello,

 

Does anyone know how to force Cisco ASA to send GARP for NATed IPs? I'm using proxy arp and the ARP entries on the upstream device do not refresh after I change failover MAC address. The only way to fix this is to clear ARP on the upstream device or wait till the timeout expires. I also tried failing over the ASAs, but that doesn't help either. 

 

Is there a way to force ASA to send out GARPs at all for nated IPs? 

 

On the upstream device e0:5f:b9:7c:7d:33 is the new MAC address of the ASAs outside (failover) interface and that updated immediately, but the ones for proxy-arp remain unchanged at e0:5f:b9:7c:7d:3c. 

 

root> show arp
MAC Address Address Name Interface Flags
e0:5f:b9:7c:7d:3c 55.55.55.10 55.55.55.10 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.11 55.55.55.11 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.13 55.55.55.13 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.14 55.55.55.14 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.16 55.55.55.16 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.21 55.55.55.21 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.250 55.55.55.250 ge-0/0/0.0 none
e0:5f:b9:7c:7d:33 55.55.55.254 55.55.55.254 ge-0/0/0.0 none
Total entries: 8

 

root> ping 55.55.55.10
PING 55.55.55.10 (55.55.55.10): 56 data bytes
^C
--- 55.55.55.10 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 

 

Thanks,

Lucas

1 Accepted Solution

Accepted Solutions

Sorry I misunderstood your request.

 

This is documented :

"If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow. The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1079460%0A

 

You have to fix virtual mac adresses on failover node in order to keep only those of primary node :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1097271%0A

 

Regards

 

Jérôme

View solution in original post

6 Replies 6

Jerome BERTHIER
Level 1
Level 1

Hi

 

GARP is the default behavior with NAT :

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

 

Each interface is configured per default to post GARP (negation of noproxyarp).

You can verify with : sh run all | i proxyarp

 

Here an example :

vpn/pri/act# sh run all | i proxyarp
no sysopt noproxyarp outside
no sysopt noproxyarp dmz
no sysopt noproxyarp management

 

Regards

The ASA responds to ARP for NATed IPs and that is correct and expected, but it seems that when I change the virtual MAC address of the ASA the GARP updates are not sent for NATed IPs. 

 

It's not the intial ARP request that is the problem (that I can achieve by clearing ARP cache on the upstream device), but the GARP update for the existing ARP entry which is not sent it seems. 

 

Is this expected behaviour? I pasted relevenat info in my original post. 

 

Thanks

Sorry I misunderstood your request.

 

This is documented :

"If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow. The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1079460%0A

 

You have to fix virtual mac adresses on failover node in order to keep only those of primary node :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1097271%0A

 

Regards

 

Jérôme

Nice one, thanks.

cesarami
Cisco Employee
Cisco Employee

You could force a Gratuitous ARP in ASA with the following debug command:

 

debug menu ipaddrutl 6 <IP>

 

Example:

 

#debug menu ipaddrutl 6 1.1.1.1

Gratuitous ARP sent for 1.1.1.1

 

 

Stellar answer!  Worked for me on FTD code from CLI.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: