Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18958
Views
5
Helpful
7
Replies

ASA ARP timeout recommendation

Go to solution
lostngone
Level 1
Level 1

‎09-11-2012 02:10 PM - edited ‎03-11-2019 04:52 PM

I currently have the timeout set to 14400. I have been draging this along in my config for a long time.

"arp timeout 14400"

My question is what is the recommendation for the timeout? 4 hours seems like a long time.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to lostngone

‎09-11-2012 03:19 PM

Hello,

It means it's on for all the interfaces,

Try to turn it off on the DZM and see what happens:

sysopt noproxyarp dmz

Regards,

Remember to rate all of the answers,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
gurpsin2
Level 1
Level 1

‎09-11-2012 02:22 PM

Hi,

By default, arp timeout value on ASA is 14400, which is global. Do you have any reasons for changing this value?

You may refer to the following document to know more about proxya rp and gratutious arp

Regards

Gurpreet

0 Helpful

Go to solution
lostngone
Level 1
Level 1
In response to gurpsin2

‎09-11-2012 02:36 PM

I am having an issue with with only the redhat/fedora systems on the DMZ segment of this ASA 5510.

Every time one of these systems reboots the system complains that its IP address is already in use and refuses to start networking. The IP address is NOT in use by any other systems on that subnet.

I am thinking this has something to do with proxy arp or the arp table on the ASA but I really do not know.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to lostngone

‎09-11-2012 02:38 PM

Hello,

Are there any Nats related to his RedHat system???

Also check the show run all sysopt and verify that proxy-arp is enabled for the DMZ?

Let me know what you get..

Remember to rate all of the answers, that is why we are here...

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
lostngone
Level 1
Level 1
In response to Julio Carvajal

‎09-11-2012 02:52 PM

show run all sysopt

---

no sysopt noproxyarp inside

no sysopt noproxyarp dmz

no sysopt noproxyarp outside

no sysopt noproxyarp management

Does this mean it is on for all interfaces(or off)?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to lostngone

‎09-11-2012 03:19 PM

Hello,

It means it's on for all the interfaces,

Try to turn it off on the DZM and see what happens:

sysopt noproxyarp dmz

Regards,

Remember to rate all of the answers,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
lostngone
Level 1
Level 1
In response to Julio Carvajal

‎09-13-2012 02:48 PM

Thank You.

That did reslove the issue.

My next question is I thought proxy arp was off by default? This is running an 8.2.x build(I know I need to upgrade).

I can not seem find anywhere in my config where I am enabling it? Any ideas?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to lostngone

‎09-13-2012 02:56 PM

Hello,

It is enabled by default!

sh run all sysopt .. There is where you see is enabled by default

no sysopt noproxyarp inside

no sysopt noproxyarp dmz

no sysopt noproxyarp outside

no sysopt noproxyarp management

Regards,

Remember to rate all of the helpul hosts,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card