Solved: Duplicate IP address with ASA Interface Mac Address

rmeans · ‎10-31-2011

We have an ESX server will multiple virtual servers defined. I am trying to migrate the default gateway IP address (.1) from a 3900 router to an ASA firewall. When the default gateway is assigned to the 3900 there are no issues. Shortly after moving the default gateway to the ASA, the virtual server will report a duplicate IP address. The offending mac address is the interface of the ASA firewall. The network to be moved is a class C. There are only 4 hosts on the network. This leaves many other IP addresses to test with all of which have never been used. When the virtual server is configured for a new, never before used IP address, the server will report a duplicate IP address and the ASA mac address is listed for the duplicate mac.

I have moved other networks from the 3900 to ASA without issue. To the best of my knowledge the only difference is how the ESX server attaches the virtual server/IP address to a NIC. The ESX server has five network interfaces: 1 ilo, 2 management and 2 production. The IP addresses and networks associated with ilo and mgmt are working without trouble. The virtual servers using the production interfaces are having trouble when the default gateway is the ASA firewall.

The switch configuration for the ilo and management interface is defined as an access switchport. The production interfaces are each defined as a trunk and allows two networks on the trunk.

I can’t help but think the issue is with the relationship between the switch trunks and the ESX server. The trunk interfaces operate independently. The have not been teamed together (LACP). Do the 3900 router and ASA handle arp differently thus expose a problem that’s been there all along?

ASA Firewall

ASA Version 8.2(5)13

interface GigabitEthernet0/2

description 4948 g1/22

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.82

description esx production VM servers

shutdown

vlan 82

nameif esx_prod

security-level 70

ip address 192.168.82.1 255.255.255.0

!

access-list esx_prod_in extended permit ip any any

global (outside) 1 interface

nat (esx_prod) 1 192.168.82.0 255.255.255.0

static (inside,esx_prod) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

static (inside,esx_prod) 172.16.0.0 172.16.0.0 netmask 255.240.0.0

access-group esx_prod_in in interface esx_prod

Switch

interface GigabitEthernet1/1

description ESX server production

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 82,193

switchport mode trunk

Router

interface GigabitEthernet0/0.82

description esx production VM servers

encapsulation dot1Q 82

ip address 192.168.82.1 255.255.255.0

ip pim sparse-dense-mode

ip cgmp

end

Maykol Rojas · ‎10-31-2011

Hello,

Yup, you got it. The issue is proxy arp. The only way that the ASA is going to answer an ARP request is if there proxyarp feature is enable.

Now, it is enable by default, and what causes the ASA to answer the solicited ARP requests is NAT configuration. On which interface of the firewall is the Server located? What is the subnet that the ASA is responding to?

Mike

View solution in original post

rmeans · ‎10-31-2011

I am continuing to research. I suspect proxy arp may be the issue. I plan to disable and test shortly.

Maykol Rojas · ‎10-31-2011

Hello,

Yup, you got it. The issue is proxy arp. The only way that the ASA is going to answer an ARP request is if there proxyarp feature is enable.

Now, it is enable by default, and what causes the ASA to answer the solicited ARP requests is NAT configuration. On which interface of the firewall is the Server located? What is the subnet that the ASA is responding to?

Mike

rmeans · ‎11-01-2011

Disabling proxy arp worked (sysopt noproxyarp ).