Solved: Re: ASA 5505 loses connection every 4 hrs due to Arp issue (Soni

stevechege · ‎11-15-2013

We have a 5/5 (Flexlink) connection from Sonic.net on a Adtran NetVsta 832 gateway.

We have recently upgraded the firewall on this connection from a PIX515E to a ASA 5505 (ASA 5505 Security Plus license).

I have had issues with ARP on this connction where if i swapped the firewall, i had to call them to clear the ARP on the "ISP" side for the connection to work. That used to work with PIX, but not with ASA firewalls.

The connection drops every 4 hours for a min or so (When i had ASA Version 8.2(5)) installed , which i suspect is when the ARP times out on the ISP side. I have tested the some configuration on a different WAN connction and it seem ok. So i have norrowed this issue down to an ISP ARP issue and as always when i call... they tell me that the connction is fine on their end.

I have gone back to using the PIX for now .

My questestion is how do i make the ASA to behave the same as the PIX when answering ARP requests. When i upgraded to ASA Version 9.1(3)2, i cannot even get a connection to the internet.

I have tried

no arp permit-nonconnected

arp permit-nonconnected

arp timeout 14400

arp timeout 800

no joy.

Any suggetions

:

ASA Version 9.1(3)2

!

hostname XXXXXXXXXXXX

domain-name XXXXXXXXXXXX

enable password XXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXX encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description VoIP-LAN

nameif inside

security-level 100

ip address 192.168.1.x 255.255.255.0

!

interface Vlan2

description WAN Connection

nameif outside

security-level 0

ip address XXXXXXXXXXXX 255.255.255.x

!

boot system disk0:/asa913-2-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name XXXXXXXXXXXX

object network inside1

subnet 192.168.1.0 255.255.255.0

object network VoIP-SRVR

host 192.168.1.x

object network VoIP-NOC

host 192.168.1.x

object network VoIP-TEST-SRVR

host 192.168.1.x

object network VoIP-WEB-SRVR

host 192.168.1.x

object-group network Bad-guys-blocked-ips

network-object 41.0.0.0 255.0.0.0

network-object 58.0.0.0 255.0.0.0

network-object 59.0.0.0 255.0.0.0

network-object 102.0.0.0 255.0.0.0

network-object 105.0.0.0 255.0.0.0

network-object 154.0.0.0 255.0.0.0

network-object 157.0.0.0 255.0.0.0

network-object 177.0.0.0 255.0.0.0

network-object 179.0.0.0 255.0.0.0

network-object 181.0.0.0 255.0.0.0

network-object 183.0.0.0 255.0.0.0

network-object 184.106.0.0 255.255.0.0

network-object 186.0.0.0 255.0.0.0

network-object 187.0.0.0 255.0.0.0

network-object 188.0.0.0 255.0.0.0

network-object 189.0.0.0 255.0.0.0

network-object 190.0.0.0 255.0.0.0

network-object 191.0.0.0 255.0.0.0

network-object 196.0.0.0 255.0.0.0

network-object 200.0.0.0 255.0.0.0

network-object 201.0.0.0 255.0.0.0

network-object 220.0.0.0 255.0.0.0

object-group service VOIP-SIP-PORTS

description VOIP SIP ports Cisco Phones

service-object udp destination range 50000 52000

service-object udp destination range sip 5061

object-group service VOIP-RTP-PORTS

description VoIP-RTP-Media-Start/Stop-Port-Range

service-object udp destination range 10000 20000

object-group service VoIP-Srvr-access-PORTS

description Access to VoIP server Services

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq tftp

service-object tcp destination eq 4445

service-object udp destination eq ntp

object-group service Web-Srvr-access-PORTS

description Access to Web server Services

service-object tcp destination eq 8081

service-object tcp destination eq www

object-group network HQ-Office

network-object XXXXXXXXXXXX 255.255.255.x

object-group network remote-offices

network-object XXXXXXXXXXXX 255.255.255.x

network-object host XXXXXXXXXXXX

network-object XXXXXXXXXXXX 255.255.255.x

network-object host XXXXXXXXXXXX

object-group network VOIP-PROVIDERS

description VOIP-SERVICE-PROVIDERS Networks

network-object host XXXXXXXXXXXX

network-object XXXXXXXXXXXX 255.255.255.x

access-list world extended deny ip object-group Bad-guys-blocked-ips any

access-list world extended permit ip object-group HQ-Office any

access-list world extended permit tcp host XXXXXXXXXXXX host 192.168.1.X eq ssh

access-list world extended permit object-group VOIP-RTP-PORTS any host 192.168.1.x

access-list world extended permit object-group VOIP-SIP-PORTS object-group remote-offices host 192.168.1.x

access-list world extended permit object-group VOIP-SIP-PORTS object-group VOIP-PROVIDERS host 192.168.1.x

access-list world extended permit object-group VoIP-Srvr-access-PORTS object-group remote-offices host 192.168.1.x

access-list world extended permit object-group Web-Srvr-access-PORTS object-group remote-offices host 192.168.1.x

access-list world extended permit icmp object-group remote-offices host 192.168.1.x

access-list world extended permit icmp host XXXXXXXXXXXX host 192.168.1.x

access-list world extended permit icmp any any echo-reply

access-list world extended permit icmp any any source-quench

access-list world extended permit icmp any any unreachable

access-list world extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging trap informational

logging asdm informational

logging host inside 192.168.1.x format emblem

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip audit name OUTSIDE_ATTACK attack action alarm drop

ip audit name OUTSIDE_INFO info action alarm

ip audit name INSIDE_ATTACK attack action alarm drop reset

ip audit name INSIDE_INFO info action alarm

ip audit interface inside INSIDE_INFO

ip audit interface inside INSIDE_ATTACK

ip audit interface outside OUTSIDE_INFO

ip audit interface outside OUTSIDE_ATTACK

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network inside1

nat (any,outside) dynamic interface

object network VoIP-SRVR

nat (inside,outside) static XXXXXXXXXXXX

object network VoIP-NOC

nat (inside,outside) static XXXXXXXXXXXX

object network VoIP-TEST-SRVR

nat (inside,outside) static XXXXXXXXXXXX

object network VoIP-WEB-SRVR

nat (inside,outside) static XXXXXXXXXXXX

access-group world in interface outside

route outside 0.0.0.0 0.0.0.0 XXXXXXXXXXXX 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.1.0 255.255.255.255 inside

ssh timeout 30

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.1.x source inside

username XXXXXXXXXXXX password XXXXXXXXXXXX encrypted privilege 15

!

class-map Voice

match dscp ef

class-map inspection_tftp

match default-inspection-traffic

class-map class_sip_udp

match port udp eq sip

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect ip-options

policy-map Voicepolicy

class Voice

priority

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:1eefa1df35e9273021ad5760e7e272b0

: end

jumora · ‎11-17-2013

First that ASA 5505 uses switch ports so you need to be careful as all interfaces have the same MAC address, then if the ARP table has no problems with the PIX 515 just copy the MAC addresses associated to the WAN and LAN side a virtualize them on to the 5505 with the "mac-address" command within each VLAN defined interface.

Setup a syslog server internally so it can capture at debugging level to see what it reports.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎11-18-2013

enable

config t

logging on

logigng trap 7

logging debug-trace

logging host inside

debug ARP

As you can see I put a debug ARP so that way with the logging debug-trace we can forward ARP debugs to the syslog server.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎11-17-2013

First that ASA 5505 uses switch ports so you need to be careful as all interfaces have the same MAC address, then if the ARP table has no problems with the PIX 515 just copy the MAC addresses associated to the WAN and LAN side a virtualize them on to the 5505 with the "mac-address" command within each VLAN defined interface.

Setup a syslog server internally so it can capture at debugging level to see what it reports.

Value our effort and rate the assistance!

stevechege · ‎11-18-2013

Good suggestion on a syslog server, i will setup one and set the logs to "debug level" to see what is going on. It really hard sometime to see the issue be cause it happenes only for 1 min very 4 hours or so ...so the Log server will help.

malshbou · ‎11-18-2013

Hi Stephen,

To investigate the root cause of the problem i would setup ARP captures and debugs at the time of the ARP timeout:

capture ARP ethernet-type arp interface outside

debug arp

When the ARP entry is about to expire in the ASA you should see ARP request(WHO-HAS) sent from the ASA asking about the gateway.

However, if there is some problem in the gateway to relearn the ASA's ARP entry after expiry, then it would be good to try reducing the ASA's timeout value to less than the router's one (e.g. to 3 hour) so that the ASA's ARP request after 3 hours refreshes the router's ARP entry (router should IP-MAC learn from source addresses of ARP Request).

Hope this helps.

---

Mashal Shboul

------------------ Mashal Shboul

stevechege · ‎11-18-2013

Hello Mashal,

I will try your suggestion today. Thanks for the reply. I wll let you know how it goes.

jumora · ‎11-18-2013

enable

config t

logging on

logigng trap 7

logging debug-trace

logging host inside

debug ARP

As you can see I put a debug ARP so that way with the logging debug-trace we can forward ARP debugs to the syslog server.

Value our effort and rate the assistance!

stevechege · ‎11-19-2013

I am currently testing your first suggestion of assigning “virtual” MACs to the Vlan interfaces.

I did that last night and so far the connection has not timed out.

So far so good

Crossing my fingers !!!

I will test it for a while before I place the ASA in production on this connection.

You are very correct in saying that the ASA and PIX handle MAC address differently, which makes sense since the ASA uses essentially “a switch” with VLANS for the various interfaces…I.E. INSIDE, OUTSIDE and DMZ.

The problem was that Sonic.net Flexlink Ethernet WAN is very picky about MAC addresses. I think the router on the other end (ISP) side was not getting a MAC address every time it querried our ASA firewall was was getting confused and thus before the router “learned” the new MAC address, it would stop forwarding packets to us, causing the 1 min downtime every 4hour ( the ARP timeout time- arp timeout 14400).Strange...still a theory.

The ASA assigns MAC addresses sequentially as show below when you do a show interface command.

I have edited the output and altered some MAC address information but you get the idea.

Show interface

MAC address 6c4X.6aXX.cb94 port 0

MAC address 6c4X.6aXX.cb95 port 1

MAC address 6c4X.6aXX.cb96 port 2

MAC address 6c4X.6aXX.cb97 port 3

MAC address 6c4X.6aXX.cb98 port 4

MAC address 6c4X.6aXX.cb99 port 5

MAC address 6c4X.6aXX.cb9a port 6

MAC address 6c4X.6aXX.cb9b port 7

Interface Vlan1 "inside" MAC address 6c4X.6aXX.cb9c

Interface Vlan2 "outside" MAC address 6c4X.6aXX.cb9c

The strange part is that the ASA assigns the same MAC address for the “inside and “Outside” Vlan interaces see below.

What I have done is to assign the “outside” vlan interface the next sequential MAC address

I.E

mac-address 6c4X.6aXX.cb9d

============================================================

From

Interface Vlan1 "inside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 6c4X.6aXX.cb9c, MTU 1500

IP address 192.168.1.X, subnet mask 255.255.255.0

Traffic Statistics for "inside":

11340 packets input, 658281 bytes

89801 packets output, 11522641 bytes

1852 packets dropped

1 minute input rate 0 pkts/sec, 4 bytes/sec

1 minute output rate 0 pkts/sec, 81 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 10 bytes/sec

5 minute output rate 1 pkts/sec, 169 bytes/sec

5 minute drop rate, 0 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 6c4X.6aXX.cb9c, MTU 1500

IP address XXX.XXX.XXX.XXX, subnet mask 255.255.255.240

Traffic Statistics for "outside":

22933 packets input, 1441961 bytes

8495 packets output, 713252 bytes

10352 packets dropped

1 minute input rate 0 pkts/sec, 11 bytes/sec

1 minute output rate 0 pkts/sec, 1 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 24 bytes/sec

5 minute output rate 0 pkts/sec, 9 bytes/sec

5 minute drop rate, 0 pkts/sec

===========================================================

to

============================================================

Interface Vlan1 "inside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 6c4X.6aXX.cb9c, MTU 1500

IP address 192.168.1.X, subnet mask 255.255.255.0

Traffic Statistics for "inside":

11340 packets input, 658281 bytes

89801 packets output, 11522641 bytes

1852 packets dropped

1 minute input rate 0 pkts/sec, 4 bytes/sec

1 minute output rate 0 pkts/sec, 81 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 10 bytes/sec

5 minute output rate 1 pkts/sec, 169 bytes/sec

5 minute drop rate, 0 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 6c4X.6aXX.cb9d, MTU 1500

IP address XXX.XXX.XXX.XXX, subnet mask 255.255.255.240

Traffic Statistics for "outside":

22933 packets input, 1441961 bytes

8495 packets output, 713252 bytes

10352 packets dropped

1 minute input rate 0 pkts/sec, 11 bytes/sec

1 minute output rate 0 pkts/sec, 1 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 24 bytes/sec

5 minute output rate 0 pkts/sec, 9 bytes/sec

5 minute drop rate, 0 pkts/sec

===========================================================

result

show run

~

interface Vlan2

mac-address 6c4X.6aXX.cb9d

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.XXX

~

I will keep you posted on how it goes

stevechege · ‎11-20-2013

Thanks guys, it looks like that was the solution as Jumora suggested.

~

interface Vlan2

mac-address 6c4X.6aXX.cb9d

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.XXX

~

The issue is with how the ASA handles MAC-Addresses as compared to a PIX. Some internet gateways/routers do not play nice with the ASA. The connection drops every 4hours or so as in my case when arp timesout on the WAN side. The fix is to nail down a "static" mac address to the virual Vlan associated to the problematic port in this case the WAN connection to the Sonic.net Flexlink ethernet no a Adtran NetVsta 832 gateway.

For a week or so i got yelled at for "dropped calls" glad this is resolved...lol...off to the next fire.

jumora · ‎11-20-2013

Thank you for letting us help, please rate all who assisted on the ticket!!!!!

Value our effort and rate the assistance!

ASA 5505 loses connection every 4 hrs due to Arp issue (Sonic.net flexlink)