I see a problem in my Inside Segment of Firewall, where the Primary Firewall is doing Proxy ARP for all directly connected hosts on the Inside Segment.
This even causes connectivity issue to the Secondary Firewall IP from the Inside Segment.
ip address 172.26.29.139 255.255.255.248 standby 172.26.29.140
Proxy ARP is not yet disabled for Inside Interface.
I have a Identity NAT statement for my Inside Segment, but no Proxy ARP is set.
object network obj-172.26.29.136
subnet 172.26.29.136 255.255.255.248
nat (inside,any) source static obj-172.26.29.136 obj-172.26.29.136 no-proxy-arp
Is this a known Bug with 8.4.2 code of ASA....?
To my understanding there has been problems with Proxy ARP mostly related to NAT configurations. But I can't shake the feeling that sometimes simply having this Proxy ARP feature enabled on the Cisco firewall has caused the firewall to answer to ARP requests even though it has had no NAT configurations for which ARP request to answer. I can't be 100% sure as I have not had many of those situation and have not had the change to debug those situation when they have presented themselves.
Do you have any need to have the Proxy ARP enabled on the interface? Most of the time I always disable it on the LAN/DMZ interfaces of the ASA right from the start as there is usually no NAT done to the IP address of any of the ASAs connected networks. In other cases local routing should handle the forwarding of traffic to the ASA and no ARP should be needed for possible NAT IP addresses.
Do you perhaps have some wide Dynamic PAT rule in place as you have configured this Static Identity NAT? I am just asking as if you have specified the sources of your dynamic translations specifically then you would have no need for ANY Identity NAT configurations on the ASA. I was glad to get rid of this compared to the older software versions.
I am for example just creating a migration configuration for one of our customers. In total I will be removing around 850 Static Identity NAT configurations from their firewall upon the migration.
No it shouldnt.
The only ARP related operation to that NAT configuration is that the ASA will answer any ARP request related to the IP address configured on the interface. And there is nothing really unordinary in that as the device naturally answers ARP requests related to its interface IP addresses and their MAC address.
I was just thinking that since clearly the small subnet that has the Static Identity NAT configuration is not supposed to be translated at all and if you had a Dynamic PAT configuration that specified the required source network then the Static Identity NAT would not be needed at all (if there is a doubt that it might be causing this)
I personally configure Dynamic PAT in this way for LAN/DMZ networks
object-group network PAT-SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
I can't really say if you are running into some bug. Even though I have been using the same software (not the same Interim release though) on multiple platforms but I have not used Identity NAT configurations since 8.2 software anymore.
Its my understanding that the ASA should only use Proxy ARP if you have configured NAT which used one of your ASAs connected networks IP address(es) as the mapped address.
Now that I look at it, it seems that I might have sligtly missunderstood the issue. I thought this was a problem with hosts but you talk about the Failover pair (and since the network is only /29 there is not much possibility of a host network). We do have Failover pairs running 8.4(2) and we have not run into any such problems.
Both ASA should answer to the ARP requests normally as they have the IP address configured on their interfaces (depending which device is active).
Are you saying that the connected router can see the Active ASA answering with Proxy ARP requests related to the Stanby units IP address?