07-18-2012 12:01 AM - edited 03-11-2019 04:32 PM
Hi,
I am having peculiar issue in my setup. I recently replaced my ASA 5505 (8.2.1) with ASA 5510 (8.4.3). Everything works fine for a while suddenly I see some of the servers will not be reachable from the LAN all the servers gateway is my switch. If I check on my Dell switch the particular server's arp entry on the connected port is same as ASA physicall MAC. If im reverting to 5505 ASA everything goes smooth without any issue.
Please help me out...
Solved! Go to Solution.
07-18-2012 01:42 AM
Hi,
Well if the ASA has answered the ARP request it probably looks like that.
Are you saying btw that both Vlan 10 and Vlan 20 networks L3 point is on the switch BUT connection from Vlan 10 and Vlan 20 both uses a Vlan 20 access ports towards ASA to use the Internet?
If the situation is as I mentioned above, have you issued the command "sysopt noproxyarp
If you are not using the ASA to provide the routing between Vlans, wouldnt it be better to have a totally different Vlan and link network to provide the connectivity towards ASA?
- Jouni
07-18-2012 12:29 AM
Hi,
Could you perhaps provide some simple picture of the network setup (old and new) and/or some configuration (minus sensitive information such as passwords)
Are you saying that you have a L3 Switch / Router in your setup or are you talking about a normal switch?
- Jouni
07-18-2012 12:45 AM
Hi Jouni,
ASA<=========> Dell 7048 Stack<========>Servers & Users
Server vlan 20 --- 10.20.20.0/24
Users vlan 10 --- 10.20.10.0/24
Intervlan routing enabled on the Dell L3 switch. The port connecting from Dell switch to ASA is in Vlan 20.
Old and new setup are same only ASA chage.
Any thing more you required from myside? any suggestion?
07-18-2012 12:49 AM
Hi,
You could try the command "sysopt noproxyarp
If you are indeed seeing the ASA interface MAC address on the ARP listing of the L3 Switch it should mean that ASA has answered some devices ARP request instead of the device itself answering the ARP request.
Or have I missed something
- Jouni
07-18-2012 01:06 AM
Hi Jouni,
In the arp entry of the switch which is connected to the server showing the Physical MAC address of the ASA.
im getting like below
show arp
10.20.20.2 --- 5097.1234.1567 -- MAC address of my ASA Inside interface
10.20.20.102 --5097.1234.1567
10.20.20.120 --5097.1234.1567
Any idea?
07-18-2012 01:42 AM
Hi,
Well if the ASA has answered the ARP request it probably looks like that.
Are you saying btw that both Vlan 10 and Vlan 20 networks L3 point is on the switch BUT connection from Vlan 10 and Vlan 20 both uses a Vlan 20 access ports towards ASA to use the Internet?
If the situation is as I mentioned above, have you issued the command "sysopt noproxyarp
If you are not using the ASA to provide the routing between Vlans, wouldnt it be better to have a totally different Vlan and link network to provide the connectivity towards ASA?
- Jouni
07-18-2012 01:49 AM
Hi Jouni,
Yes we use we use both vlan 10 & 20 to user vlan 20 access port to go to the internet.
so i will try to put sysopt no proxyarp on my inside interface and let u know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide