cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5530
Views
16
Helpful
4
Replies

Cisco FTD 1010 - IP Duplicate issue - Managed by FMC

garybrophy
Level 1
Level 1

Hi All,

 

I have purchased a couple of these devices to replace the old ASA 5505's in remote sites.

The devices have been configured with FMC. The remote sites may only have 1 staff PC so that will plug directly into the inside interface on these firewalls.

 

I have created an inside Interface with a static IPv4 address. IPV6 is not enabled on it.
I have also not enabled DHCP on the interface.

 

I have tested this with desktops and laptops. If I configure a static IP address on the machine and plug directly into the Interface, the interface comes up but my machines tells me that the IP address is a duplicate address and I cannot ping the IP address of the Firewall.
There is nothing else plugged in here. Just one machine connected to one interface on the Firewall and the management interface connected to a switch to connect to the FMC for management. I have even unplugged the management interface and same thing.

 

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 58-8A-5A-30-71-2D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::bd99:cb71:b767:901c%22(Preferred)
IPv4 Address. . . . . . . . . . . : 10.52.37.230(Duplicate)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Autoconfiguration IPv4 Address. . : 169.254.81.230(Tentative)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.52.37.254
DHCPv6 IAID . . . . . . . . . . . : 123243098
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-0B-1B-51-58-8A-5A-30-71-2D
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled


If I configure DHCP on this interface it just cycles through the range of addresses and my machine never settles on an IP address and can never ping the firewall.

I have tested multiple machines to rule out a machine.
I also have an old ASA 5505 and tested the machines with that and it works without any issues

It seems to me to be an FTD issue but I cannot work out what could possibly cause this?

I am hoping someone has come across this on the 1010's?

 

Thanks

Gary

4 Replies 4

nspasov
Cisco Employee
Cisco Employee

A couple of questions for you:

1. Are you running ASA or FTD code on the 1010s?

2. What is the version of ASA/FTD that you are running?

3. Can you show us your DHCP configuration?

Thank you for rating helpful posts!

Hi nspasov

1) running the FTD code

2) Version is 6.4.0

3) I would actually prefer not to use DHCP - was just testing it as assigning a static IP address was not working.

 

I connected there and went into system support diagnostic cli and did a show run (attached - with omitted customer info)

 

1 PC with a static IP address - connected to the inside interface and it tells me its a duplicate address.

Nothing else connected.

Thanks

Gary

ChadT
Level 1
Level 1

Ran in to this problem also, where every single IP assigned to any device (static or DHCP) says it was a duplicate address. Turns out my internal interfaces was replying to all IP ARP request basically saying yes it was in use. The fix for this turned out to be in my NAT rules. I had configured Static NAT rules to forward ports from my outside IP to my inside devices, these NAT rule by default have proxy ARP on Destination Interface enabled.

In FMC go into your individual NAT rules click on the Advanced Tab and check the box next to Do not proxy ARP on Destination Interface. Now your firewall will quit replying to every request to see if that IP is in use some place.

 

Hope this helps someone.

@ChadT 

Appreciate your answer a lot. It solved my issue.

Review Cisco Networking for a $25 gift card