cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7718
Views
4
Helpful
11
Replies

Clear arp restores connection?

Joffroi85
Level 1
Level 1

I have a simple network with an ASA5505 mainly used for AnyConnect so there is little traffic. There is 1 laptop connected to the E0/1 of the ASA and then E0/0 is going to the internet port. I've noticed about ever 15-20 minutes, I lose all connection. The laptop can no longer browse the web and handsets can no longer VPN into the network.  I've noticed a few seconds after performing a clear arp, all the connectinos are restored. The laptop can browse the web and handsets can VPN in again.  Any idea what could be causing this?

Thanks

11 Replies 11

varrao
Level 10
Level 10

Hi Joffroi,

One very simple test to check:

when the issue occurs, take captures on ASA interface:

access-list cap permit icmp any any

capture capo access-list cap interface outside

capture capin access-list cap interface inside

Now do a ping to 4.2.2.2 from your laptop, and then check "show cap capin" & "show cap capo", see if the request is going through the ASA or not and if you are getting any replies or not.

If no replies, then check the upstream device, that device might be losing the arp entries for the ASA and hence sending no replies, when you clear arp on ASA, an arp request is send again and it builts the arp table. Check if there is any arp timeout.

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Thanks for the reply Varun.

I waited until I lost connection and did what you suggested.

)# show cap capin

6 packets captured

   1: 13:42:28.785695 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

   2: 13:42:29.786092 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

   3: 13:42:30.787282 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

   4: 13:42:31.788396 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

   5: 13:42:32.789494 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

   6: 13:42:33.790623 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

6 packets shown

# show cap capo

26 packets captured

   1: 13:41:07.228046 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

   2: 13:41:07.228335 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   3: 13:41:08.228931 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

   4: 13:41:08.228976 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   5: 13:41:09.229587 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

   6: 13:41:09.229632 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   7: 13:41:10.230700 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request

....

192.168.1.4 is the IP assigned to my laptop connected to E0/1

After I performed the clear arp, I got echo reply request.

With that being said, are you suggested I need to talk to my IT about whats being the port for my internet? Maybe they are losing my arp entry for my ASA?

Thanks

Absolutely, now you atlesat know, which device stops responding and my gut feeling is, your ISP device is losing arps pretty frequently.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Thanks, I'll reach out to them.  I do notice I occasionally get another entry on my arp table on the outside interface with an IP very similar to what I have assigned to me.  I suspect that is probably what is causing my problem.

Hi Joffroi,

Sure I will wait for your update.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi

That sound a lot like an arp poisoning attack.

when the Internet works what is the mac address of your def gateway ?

what is the mac addres of the def gateway when it stopps working ?

if they are different I would talk to the isp and set the mac address entry manually until the issue is resolved..

Good luck

HTH

My mac-address stays the same in both cases.  Thanks for the suggestion though.

Hello Joffroi,

One hundred porcent sure you see the real mac address of your DG when the issue happens from the ASA perspective.

I mean from the ASA perspective we can see he is sending the traffic out the right interface, he is doing the NAT properly but he is not receiving any traffic comming back.

I would say call the ISP people and explain them the behavior you are having, they will understand and help.

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I stlil waiting on a response from my IT department.  I have noticed that on my arp tables, I do get an IP address that shows up and I'm not sure what it is. As I mentioned before, the network I'm working with is

LAPTOP <-----> ASA <------->   INTERNET PORT                Thats it.

ASA5505# show arp

        inside 192.168.1.4 001f.f353.da5f 24                         <---- Laptop connected to E0/1

        outside XX.XX.167.66 3ce5.a614.e06b 1703               <---- Unknown device

        outside XX.XX.167.70 0024.c9cf.2c50 2946                <---- Default Gateway

Hello Joffroi,

Please keep us updated.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Was there ever a final resolution to this and if so, what was it? 

A client of mine has an identical problem.  Their ISP is Verizon FIOS who is notorius for their poor technical support in matters like this.  If it turns out to be a downstream Verizon router, I may recommend the client change ISP's.  Knowing Joffroi's outcome may influence what we do.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: