Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6407
Views
25
Helpful
4
Replies

ASA to FTD migration ARP issues

Nick Currie
Level 1
Level 1

‎07-05-2018 08:10 PM - edited ‎02-21-2020 07:57 AM

Hi there - hoping someone can help with this one as it has me a little bamboozled!

 

We are in the process of upgrading 3 sites from ASA to FTD devices, 2 sites have gone well but I am having real troubles with the final site.

 

We are doing a cutover - so same configuration / ruleset / NAT / Addressing etc on the new device.

Initially after cutover everything is ok, then after a few minutes we lose connectivity with random devices on the internal network on the same subnet as the internal interface of the FTD which is on vlan10 - 10.0.0.0/24.

 

I take a look at the core switch ARP table and I can see switch management ip's and VM's running windows OS now with arp entries pointing to the MAC of the internal interface of the FTD.

 

If I clear the ARP cache on the core switch it fixes the management IP's for the networking equipment - but not the virtual machines.

 

For example 10.0.0.40 is a windows server vm with a  Mac address of 00-50-56-AD-67-57.

 

After performing cutover to the new FTD we lose connectivity to the server and if I perform an ARP lookup on our coreswitch (cisco 3750 stack)  i get this:

Internet  10.0.0.40               2   780c.f018.xxxx  ARPA   Vlan10

780c.f018.xxxx is the MAC on the internal interface of our FTD 2110 running 6.2.3.1

 

After failing back we then need to reboot the VM and the mac address table returns to normal

Internet  10.0.0.40               0   0050.56ad.6757  ARPA   Vlan10

Any clue as to what is going on here? Why would the FTD be changing the ARP table for internal interfaces of switches and servers on our core switch?

 

1 person had this problem
Labels:
4 Replies 4

niko
Level 1
Level 1

‎07-06-2018 12:50 AM

From the description it sounds like FTD is doing proxy-ARP for that network.

Check your NAT rules and see if that could be the case - it can be seen under Advanced tab for the NAT rule.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-nat.html

 

Nick Currie
Level 1
Level 1
In response to niko

‎07-06-2018 01:02 AM

Hey Niko - thanks. Yes, we do have a dynamic NAT in NAT before that translates inside to outside to a different address from the outside interface.
Do not proxy arp on this is greyed out and not selected.
What I don't understand though is why it would be proxying addresses that are not going via firewall? Such as a switch management interface?


Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Nick Currie

‎07-06-2018 02:28 AM

By default the FTD appliance will have "no sysopt noproxyarp <nameif>", meaning it WILL proxy arp. Changing that behavior should be possible with a Flexconfig.

 

You might also look at your NAT rules as suggested since the following behavior (from an ASA article) would also apply to FTD as the ARP and NAT codebase is the same.

 

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎07-08-2018 03:11 PM

To add to what @Marvin Rhoads mentioned, the proxy arp issue comes very much into play when you have rules that have (any) in the source or destination interface. Idea is that if you have (inside,any) rule, this can also be categorized as (inside,inside) causing the FTD or ASA to proxy arp on the inside interface. Proxy arp is usually only required on the outside interface when you have dynamic or static NAT going out to the internet and you want the return traffic to be sent back to the Firewall's outside interface. Try to keep your NAT rules specific with regards to interfaces and networks when possible. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card