Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17195
Views
15
Helpful
6
Replies

Cisco ASA gratuitous ARP

Go to solution
lucas_kaczmarski
Level 1
Level 1

‎08-10-2018 05:02 AM - edited ‎02-21-2020 08:05 AM

Hello,

 

Does anyone know how to force Cisco ASA to send GARP for NATed IPs? I'm using proxy arp and the ARP entries on the upstream device do not refresh after I change failover MAC address. The only way to fix this is to clear ARP on the upstream device or wait till the timeout expires. I also tried failing over the ASAs, but that doesn't help either. 

 

Is there a way to force ASA to send out GARPs at all for nated IPs? 

 

On the upstream device e0:5f:b9:7c:7d:33 is the new MAC address of the ASAs outside (failover) interface and that updated immediately, but the ones for proxy-arp remain unchanged at e0:5f:b9:7c:7d:3c. 

 

root> show arp
MAC Address Address Name Interface Flags
e0:5f:b9:7c:7d:3c 55.55.55.10 55.55.55.10 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.11 55.55.55.11 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.13 55.55.55.13 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.14 55.55.55.14 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.16 55.55.55.16 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.21 55.55.55.21 ge-0/0/0.0 none
e0:5f:b9:7c:7d:3c 55.55.55.250 55.55.55.250 ge-0/0/0.0 none
e0:5f:b9:7c:7d:33 55.55.55.254 55.55.55.254 ge-0/0/0.0 none
Total entries: 8

 

root> ping 55.55.55.10
PING 55.55.55.10 (55.55.55.10): 56 data bytes
^C
--- 55.55.55.10 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 

 

Thanks,

Lucas

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jerome BERTHIER
Level 1
Level 1
In response to lucas_kaczmarski

‎08-10-2018 05:34 AM

Sorry I misunderstood your request.

 

This is documented :

"If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow. The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1079460%0A

 

You have to fix virtual mac adresses on failover node in order to keep only those of primary node :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1097271%0A

 

Regards

 

Jérôme

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jerome BERTHIER
Level 1
Level 1

‎08-10-2018 05:14 AM

Hi

 

GARP is the default behavior with NAT :

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

 

Each interface is configured per default to post GARP (negation of noproxyarp).

You can verify with : sh run all | i proxyarp

 

Here an example :

vpn/pri/act# sh run all | i proxyarp
no sysopt noproxyarp outside
no sysopt noproxyarp dmz
no sysopt noproxyarp management

 

Regards

Go to solution
lucas_kaczmarski
Level 1
Level 1
In response to Jerome BERTHIER

‎08-10-2018 05:21 AM - edited ‎08-10-2018 05:33 AM

The ASA responds to ARP for NATed IPs and that is correct and expected, but it seems that when I change the virtual MAC address of the ASA the GARP updates are not sent for NATed IPs. 

 

It's not the intial ARP request that is the problem (that I can achieve by clearing ARP cache on the upstream device), but the GARP update for the existing ARP entry which is not sent it seems. 

 

Is this expected behaviour? I pasted relevenat info in my original post. 

 

Thanks

0 Helpful

Go to solution
Jerome BERTHIER
Level 1
Level 1
In response to lucas_kaczmarski

‎08-10-2018 05:34 AM

Sorry I misunderstood your request.

 

This is documented :

"If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow. The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1079460%0A

 

You have to fix virtual mac adresses on failover node in order to keep only those of primary node :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1097271%0A

 

Regards

 

Jérôme

0 Helpful

Go to solution
lucas_kaczmarski
Level 1
Level 1
In response to Jerome BERTHIER

‎08-10-2018 05:47 AM

Nice one, thanks.
0 Helpful

Go to solution
cesarami
Cisco Employee
Cisco Employee

‎02-25-2020 07:22 AM

You could force a Gratuitous ARP in ASA with the following debug command:

 

debug menu ipaddrutl 6 <IP>

 

Example:

 

#debug menu ipaddrutl 6 1.1.1.1

Gratuitous ARP sent for 1.1.1.1

 

 

Go to solution
markwaltersccie
Level 1
Level 1
In response to cesarami

‎06-24-2021 09:13 AM - edited ‎06-24-2021 09:14 AM

Stellar answer!  Worked for me on FTD code from CLI.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card