Alain,

Thanks for your interest.  It has me stumped too.

ASA show route with only inside interface routes:

C    1.1.1.0 255.255.255.240 is directly connected, inside

S    172.20.1.0 255.255.255.0 [1/0] via 1.1.1.1, inside

Also from ASA:
show run all | in arp

arp timeout 14400

no sysopt noproxyarp inside

no sysopt noproxyarp outside

no sysopt noproxyarp management

From 3560G:

Gateway of last resort is 1.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.1.1
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/28 is directly connected, GigabitEthernet0/1
L        1.1.1.14/32 is directly connected, GigabitEthernet0/1
      172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.20.1.0/24 is directly connected, Vlan1
L        172.20.1.30/32 is directly connected, Vlan1

C3560G24-1#sh ip int gi 0/1

GigabitEthernet0/1 is up, line protocol is up

  Internet address is 1.1.1.14/28

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Probe proxy name replies are disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  Output features: Check hwidb

C3560G24-1#

Hi,

can you clear arp cache on ASA and ping one of those addresses again.

Regards.

Alain.

Alain,

I've done that many times and all IPs come back with same switchport MAC

If I connect to the switch and ping a non-existant IP I get the expected result:

C3560G24-1#sho arp | in 172.20.1.53

Internet  172.20.1.53             0   Incomplete      ARPA

C3560G24-1#

If I clear the ASA's arp cache and ping that same IP I GET A PING REPLY which I infer is from the Cat3560 routed port doing the proxy-arp.

As I noted above proxy-arp is enabled on that switchport.  I'll turn it off - will be after hours today - and see what happens.  I don't like fooling with a live customer network during business hours.

Alain - Yes, I cannot see the forest for the trees.  I've stared at this for a day and could not see the error.

route inside 172.20.1.0 255.255.255.0 1.1.1.14 (not 1.1.1.1) !!!

Now the arp cache looks like it should with currently only the 1.1.1.14 in the cache.

Thanks,

Phil