10-31-2011 12:01 PM - edited 03-11-2019 02:44 PM
We have an ESX server will multiple virtual servers defined. I am trying to migrate the default gateway IP address (.1) from a 3900 router to an ASA firewall. When the default gateway is assigned to the 3900 there are no issues. Shortly after moving the default gateway to the ASA, the virtual server will report a duplicate IP address. The offending mac address is the interface of the ASA firewall. The network to be moved is a class C. There are only 4 hosts on the network. This leaves many other IP addresses to test with all of which have never been used. When the virtual server is configured for a new, never before used IP address, the server will report a duplicate IP address and the ASA mac address is listed for the duplicate mac.
I have moved other networks from the 3900 to ASA without issue. To the best of my knowledge the only difference is how the ESX server attaches the virtual server/IP address to a NIC. The ESX server has five network interfaces: 1 ilo, 2 management and 2 production. The IP addresses and networks associated with ilo and mgmt are working without trouble. The virtual servers using the production interfaces are having trouble when the default gateway is the ASA firewall.
The switch configuration for the ilo and management interface is defined as an access switchport. The production interfaces are each defined as a trunk and allows two networks on the trunk.
I can’t help but think the issue is with the relationship between the switch trunks and the ESX server. The trunk interfaces operate independently. The have not been teamed together (LACP). Do the 3900 router and ASA handle arp differently thus expose a problem that’s been there all along?
ASA Firewall
ASA Version 8.2(5)13
interface GigabitEthernet0/2
description 4948 g1/22
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.82
description esx production VM servers
shutdown
vlan 82
nameif esx_prod
security-level 70
ip address 192.168.82.1 255.255.255.0
!
access-list esx_prod_in extended permit ip any any
global (outside) 1 interface
nat (esx_prod) 1 192.168.82.0 255.255.255.0
static (inside,esx_prod) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,esx_prod) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
access-group esx_prod_in in interface esx_prod
Switch
interface GigabitEthernet1/1
description ESX server production
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 82,193
switchport mode trunk
Router
interface GigabitEthernet0/0.82
description esx production VM servers
encapsulation dot1Q 82
ip address 192.168.82.1 255.255.255.0
ip pim sparse-dense-mode
ip cgmp
end
Solved! Go to Solution.
10-31-2011 03:15 PM
Hello,
Yup, you got it. The issue is proxy arp. The only way that the ASA is going to answer an ARP request is if there proxyarp feature is enable.
Now, it is enable by default, and what causes the ASA to answer the solicited ARP requests is NAT configuration. On which interface of the firewall is the Server located? What is the subnet that the ASA is responding to?
Mike
10-31-2011 12:47 PM
I am continuing to research. I suspect proxy arp may be the issue. I plan to disable and test shortly.
10-31-2011 03:15 PM
Hello,
Yup, you got it. The issue is proxy arp. The only way that the ASA is going to answer an ARP request is if there proxyarp feature is enable.
Now, it is enable by default, and what causes the ASA to answer the solicited ARP requests is NAT configuration. On which interface of the firewall is the Server located? What is the subnet that the ASA is responding to?
Mike
11-01-2011 03:51 AM
Disabling proxy arp worked (sysopt noproxyarp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide