Solved: Duplicate Arp Entry Issue

CSCO11520436 · ‎07-18-2012

Hi,

I am having peculiar issue in my setup. I recently replaced my ASA 5505 (8.2.1) with ASA 5510 (8.4.3). Everything works fine for a while suddenly I see some of the servers will not be reachable from the LAN all the servers gateway is my switch. If I check on my Dell switch the particular server's arp entry on the connected port is same as ASA physicall MAC. If im reverting to 5505 ASA everything goes smooth without any issue.

Please help me out...

Karthik S

Jouni Forss · ‎07-18-2012

Hi,

Well if the ASA has answered the ARP request it probably looks like that.

Are you saying btw that both Vlan 10 and Vlan 20 networks L3 point is on the switch BUT connection from Vlan 10 and Vlan 20 both uses a Vlan 20 access ports towards ASA to use the Internet?

If the situation is as I mentioned above, have you issued the command "sysopt noproxyarp " on the ASA? If you have, have you cleared the ARP on the L3 switch?

If you are not using the ASA to provide the routing between Vlans, wouldnt it be better to have a totally different Vlan and link network to provide the connectivity towards ASA?

- Jouni

View solution in original post

Jouni Forss · ‎07-18-2012

Hi,

Could you perhaps provide some simple picture of the network setup (old and new) and/or some configuration (minus sensitive information such as passwords)

Are you saying that you have a L3 Switch / Router in your setup or are you talking about a normal switch?

- Jouni

CSCO11520436 · ‎07-18-2012

Hi Jouni,

ASA<=========> Dell 7048 Stack<========>Servers & Users

Server vlan 20 --- 10.20.20.0/24

Users vlan 10 --- 10.20.10.0/24

Intervlan routing enabled on the Dell L3 switch. The port connecting from Dell switch to ASA is in Vlan 20.

Old and new setup are same only ASA chage.

Any thing more you required from myside? any suggestion?

Karthik S

Jouni Forss · ‎07-18-2012

Hi,

You could try the command "sysopt noproxyarp " command on the ASA

If you are indeed seeing the ASA interface MAC address on the ARP listing of the L3 Switch it should mean that ASA has answered some devices ARP request instead of the device itself answering the ARP request.

Or have I missed something

- Jouni

CSCO11520436 · ‎07-18-2012

Hi Jouni,

In the arp entry of the switch which is connected to the server showing the Physical MAC address of the ASA.

im getting like below

show arp

10.20.20.2 --- 5097.1234.1567 -- MAC address of my ASA Inside interface

10.20.20.102 --5097.1234.1567

10.20.20.120 --5097.1234.1567

Any idea?

Karthik S

Jouni Forss · ‎07-18-2012

Hi,

Well if the ASA has answered the ARP request it probably looks like that.

Are you saying btw that both Vlan 10 and Vlan 20 networks L3 point is on the switch BUT connection from Vlan 10 and Vlan 20 both uses a Vlan 20 access ports towards ASA to use the Internet?

If the situation is as I mentioned above, have you issued the command "sysopt noproxyarp " on the ASA? If you have, have you cleared the ARP on the L3 switch?

If you are not using the ASA to provide the routing between Vlans, wouldnt it be better to have a totally different Vlan and link network to provide the connectivity towards ASA?

- Jouni

CSCO11520436 · ‎07-18-2012

Hi Jouni,

Yes we use we use both vlan 10 & 20 to user vlan 20 access port to go to the internet.

so i will try to put sysopt no proxyarp on my inside interface and let u know.

Karthik S