Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1202
Views
0
Helpful
3
Replies

ASA 5515 9.8(2) and windows 10 1709 ARP issue

fhgsit
Level 1
Level 1

‎11-02-2017 05:02 AM - edited ‎02-21-2020 06:37 AM

Hello,

i created a new Network, and have the ASA as the router for it. Like always. However, Windows 10 Clients within the Network will not work, where Linux does:

I captured some traffic, and it boils down to:

Windows gets an IP from dhcp (Discover, offer, request, ack) does some DNS queries, other stuff and then it tries to ARP resolve it's own IP : now the ASA answers: "my mac got that ip" why tho ?

Windows then says its duplicate, sends a dhcp decline

Any hints howto change behaviour ? I dont understand why the asa answers (with its own MAC) while the subnet is asked for the clients ip mac.

 

thanks

Labels:
0 Helpful
3 Replies 3

mikael.lahtela
Level 4
Level 4

‎11-02-2017 11:28 AM

Hi,

I think you need to provide som sanitized running-config from your ASA to get an answer.

br, Micke
0 Helpful

fhgsit
Level 1
Level 1

‎11-03-2017 02:35 AM - edited ‎11-03-2017 02:45 AM

Thanks Mikael_lathela for the reply.

Here is a config + another one from a Network i created today.

The network from today (vlan 531) is behaving right: eg. asa wont answer arp.

Configs:

 

interface Port-channel1.530
 vlan 530
 nameif pub_c_129
 security-level 60
 ip address 129.216.216.1 255.255.255.0 standby 129.216.216.2
!
interface Port-channel1.531
 vlan 531
 nameif lab_oss_tss
 security-level 60
 ip address 10.148.167.1 255.255.255.0 standby 10.148.167.2

 

monitor-interface pub_c_129
monitor-interface lab_oss_tss

 

dhcprelay enable pub_c_129
dhcprelay enable lab_oss_tss
dhcprelay timeout 60

 

 

 

object network pub_c_129_network
 subnet 129.216.216.0 255.255.255.0
object network lab_oss_tss_network
 subnet 10.148.167.0 255.255.255.0

 

 the differences:

pub_c has no route, it is using the default 0.0.0.0 

pub_c has NAT: original original , the other network has some translation. but what should arp care about that

 

route outside 0.0.0.0 0.0.0.0 180.14.128.248 130
route outside 10.148.0.0 255.255.254.0 180.14.128.11 2

 

nat (pub_c_129,any) source static pub_c_129_network pub_c_129_network

 

shall i "debug arp" to see something interesting ? would love to have someone interested with more know-how guiding me in this topic here. maybe i can just debug it for the 1 vlan ?

 

some capture from the asa:

 109: 10:40:58.642514       802.1Q vlan#530 P1 arp who-has 129.216.216.1 tell 129.216.216.239
 110: 10:40:58.642636       802.1Q vlan#530 P1 arp reply 129.216.216.1 is-at f8:72:ea:a4:ae:e3
 111: 10:40:58.645199       802.1Q vlan#530 P1 arp who-has 129.216.216.1 tell 129.216.216.239
 112: 10:40:58.645306       802.1Q vlan#530 P1 arp reply 129.216.216.1 is-at f8:72:ea:a4:ae:e3
 113: 10:40:58.684260       802.1Q vlan#530 P0 arp who-has 129.216.216.239 tell 129.216.216.1
 114: 10:40:58.718133       802.1Q vlan#530 P0 arp reply 129.216.216.239 is-at 50:9a:4c:ca:5a:ec
 115: 10:40:59.015242       802.1Q vlan#530 P1 arp who-has 129.216.216.239 tell 0.0.0.0
 116: 10:40:59.015303       802.1Q vlan#530 P1 arp reply 129.216.216.239 is-at f8:72:ea:a4:ae:e3

 

i guess you can see the request from the client in (115) , and the reply from the ASA in (116)

While the Clients reply from another request (which should be the only one) is in (114)

 

greetings

 

0 Helpful

fhgsit
Level 1
Level 1
In response to fhgsit

‎11-03-2017 03:27 AM

sorry for the disturbance, i guess i found it

i "disable proxy arp on egress interface" at the nat rule and it works now.

 

wonder why some santiy check wont find that it is also the ingress interface and prevents something

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card