Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1216
Views
0
Helpful
3
Replies

ASA blocking mpls traffic from a customer - Arp collisions

eric.lovelace
Level 1
Level 1

‎01-08-2011 08:52 AM - edited ‎03-11-2019 12:32 PM

We host software for a customer and they just installed a managed mpls router. Management wanted a way to protect there servers in our datacenter so we put the asa inbeween there mpls router and there vlan in our datacenter. One of the requirements was the ip's could not change so I static natted the server inside,outside to the same ip and now I keep getting arp errors

static (inside,outside) 10.100.31.22 10.100.31.22 netmask 255.255.255.255

4Jan 08 201109:31:18Received ARP request collision from 10.100.31.22/e41f.1379.331e on interface inside with existing ARP entry 10.100.31.22/e41f.1379.331c

I have attached the running config. Is there another way I should be configuring this?

Thanks!

Labels:
78333-config.txt.zip
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-08-2011 09:12 AM

Hi,

You have this statement:

static (inside,outside) 10.100.31.22 10.100.31.22 netmask 255.255.255.255

It means that the ASA will receive traffic on its outside interface for IP 10.100.31.22 and will send it to the server 10.100.31.22 on its inside (and vice versa).

The ASA will accept traffic intended to 10.100.31.22 on its outside interface (sent to the MAC address of the outside interface), and redirect the traffic to the inside (to the MAC address of the server).

But, the error that you're getting is on the inside interface.

Can you check both MAC addresses reported on the error message to see if one belongs to the server itself and the other to the inside interface of the AS?

Also, check the ARP table on the ASA to check which mapping reports to 10.100.31.22.

Federico.

0 Helpful

eric.lovelace
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-08-2011 05:23 PM

Hi. Federico

     The mac address on the server is E41F.1379.331C - The inside interface of the asa has a mac of 5475.d026.f713

On the asa 10.100.31.22 has a mac of e41f.1379.331c. However I did find that the asa arp table mac e41f.1379.331e is tied to ip 10.100.31.20

inside 10.100.31.20 e41f.1379.331e 11005

inside 10.100.31.22 e41f.1379.331e 12

Could this be a server issue? How did my configuration look? Is static natting the best practice for deploying a firewall in this scenario?

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to eric.lovelace

‎01-08-2011 07:38 PM

Eric,

Received ARP request collision from 10.100.31.22/e41f.1379.331e on  interface inside with existing ARP entry 10.100.31.22/e41f.1379.331c

That message means that the devices with the MAC addresses e41f.1379.331e and e41f.1379.331c both are claiming to own the same IP address.

You mentioned E41F.1379.331C - is owned by the server.

Find out which device owns this MAC address e41f.1379.331e and see why it could be claiming the same IP address as the device with MAC e41f.1379.331e.

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card