Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
0
Helpful
3
Replies

Cisco ASA 5555-X max ARP table size

Go to solution
Martin W Joergensen
Level 1
Level 1

‎05-02-2017 11:40 PM - edited ‎03-12-2019 02:18 AM

I'm trying to look for an answer to what's the max ARP table size on a Cisco ASA 5555-X.

Does anyone know how to find the answer? Is there a show command I can run or a spec sheet that shows the max ARP table size?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Martin W Joergensen

‎05-03-2017 03:59 AM

I've done an arp cache clear on ASAs without any noticable impact on performance or active connections.

You could certainly reduce the global timeout to something less than 30 minutes and, given the modest size of your arp table, I would not expect any adverse consequences.

You could also create a custom privilege level and give a larger pool of technicans and operators the right to clear the table but not make any other configuration changes. You could even build a little script with stored credentials (or ssh key for greater security) and just have them run that as part of the standard procedure when replacing a sensor.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-03-2017 03:24 AM

I've never seen it publsihed and frankly never had a customer ask about it.

Since arp table entries are only needed for directly attached subnets, even a modest size table would be more than enough for almost all use cases.

Is there some particular corner case that has you worried? 

0 Helpful

Go to solution
Martin W Joergensen
Level 1
Level 1
In response to Marvin Rhoads

‎05-03-2017 03:52 AM

We're having an issue with a sensor device that is not sending any traffic when it's first attached to the network.

The problem is on our production line when a sensor breaks down it is replaced within 30 minutes, but the ARP entry will stay for the next 4 hours unless we have a technician to login to the firewall and clear it manually. This can happen on any time of the day since the production is running 24/7.

For a Cisco ASA we can't decrease the ARP timeout on a per-interface basis but only on a global basis, so we are trying to assess how much of an impact it would have to reduce the ARP timeout from the default of 4 hours to 15-30 minutes. At the moment we have ~300 entries in the ARP table, but knowing how many entries it would be able to handle at any given time would be useful in determining the additional load we'll put on it.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Martin W Joergensen

‎05-03-2017 03:59 AM

I've done an arp cache clear on ASAs without any noticable impact on performance or active connections.

You could certainly reduce the global timeout to something less than 30 minutes and, given the modest size of your arp table, I would not expect any adverse consequences.

You could also create a custom privilege level and give a larger pool of technicans and operators the right to clear the table but not make any other configuration changes. You could even build a little script with stored credentials (or ssh key for greater security) and just have them run that as part of the standard procedure when replacing a sensor.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card