Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7577
Views
3
Helpful
5
Replies

Firewall starts randomly responding to ARP requests for other IPs

Go to solution
rywatters
Level 1
Level 1

‎08-23-2011 10:07 AM - edited ‎03-11-2019 02:15 PM

I have my firewall on IP 192.168.0.1 (for example, real IP is a class C address).  I have a web server (Ubuntu 10.04, though this happened before with an 8.04 box as well) on ip 192.168.0.101.  Everything will be functioning fine, and I won't have any issues for a while.  Then, randomly I'll have problems getting to my web server, getting disconnected from SSH sessions.  I go to one of my linux boxes and do an "arping -b 192.168.0.101" and I will get  two responses, one from my firewall and one from the box, as illustrated below.  The only way to correct the issue that I've run into is to reload the firewall, which will then behave properly again until it randomly decides to start answering ARP requests on the other IP again.

nwiadmin@vm-test-lx:~$ arping -b if-webdevint4-lx
WARNING: interface is ignored: Operation not permitted
ARPING 192.168.0.101 from 192.168.0.168 eth0
Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.309ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.434ms
Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.280ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.377ms
Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.129ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.221ms
Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  1.839ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.934ms
Sent 4 probes (4 broadcast(s))
Received 8 response(s)

Reloaded firewall

nwiadmin@vm-test-lx:~$ arping -b if-webdevint4-lx
WARNING: interface is ignored: Operation not permitted
ARPING 192.168.0.101 from 192.168.0.168 eth0
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.839ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.935ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.758ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.733ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  9.568ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.931ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.283ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.756ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.070ms
Sent 9 probes (9 broadcast(s))
Received 9 response(s)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎08-23-2011 10:26 AM

Hi,

There is a feature called proxy ARP on the ASA firewall that causes the ASA to respond for ARP request if it has a NAT configured.

Most likely this is caused by an static (inside,inside) with the same subnet twice, an outside NAT etc. Would you please paste your NAT configuration?

Other thing that you can do is to disable proxy arp on the inside interface to make the firewall stop doing that. Here is how you do it:

ciscoasa(config)# sysopt noproxyarp inside

Hope this helps.

Mike

Mike

View solution in original post

0 Helpful
5 Replies 5

Go to solution
varrao
Level 10
Level 10

‎08-23-2011 10:25 AM

Hi,

What happens on the firewall, due you see the arp entry there for the host??? If no can you assign a static arp to your server and monitor it for a while.

Thanks,

Varun

Thanks,
Varun Rao

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎08-23-2011 10:26 AM

Hi,

There is a feature called proxy ARP on the ASA firewall that causes the ASA to respond for ARP request if it has a NAT configured.

Most likely this is caused by an static (inside,inside) with the same subnet twice, an outside NAT etc. Would you please paste your NAT configuration?

Other thing that you can do is to disable proxy arp on the inside interface to make the firewall stop doing that. Here is how you do it:

ciscoasa(config)# sysopt noproxyarp inside

Hope this helps.

Mike

Mike
0 Helpful

Go to solution
rywatters
Level 1
Level 1
In response to Maykol Rojas

‎08-23-2011 10:41 AM

I just switched on sysopt noproxyarp inside as I really shouldn't need that sort of behavior, and I've got it documented if any other issues come up.  My NAT config is sanitized and included below, but is fairly messy.  I need time to clean up all my configs, but it's IT....  Never enough time.

nat (DMZ,any) source static obj-172.16.100.0 obj-172.16.100.0 destination static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20

nat (outside,outside) source static obj-192.168.30.10 obj-192.168.30.10 destination static obj-192.168.15.0 obj-192.168.15.0

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.11.0 obj-192.168.11.0

nat (inside,any) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static obj-192.168.30.0 obj-192.168.30.0

nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static obj-192.168.10.0 obj-192.168.10.0

nat (inside,any) source static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 destination static obj-192.168.11.0 obj-192.168.11.0

nat (inside,any) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 destination static k192.168.14.0 k192.168.14.0

nat (inside,any) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.192 obj-192.168.0.192 unidirectional

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.192 obj-192.168.0.192 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_13 DM_INLINE_NETWORK_13 destination static k192.168.14.0 k192.168.14.0

nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11

nat (inside,any) source static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 destination static saLAN saLAN unidirectional

nat (inside,any) source static saLAN saLAN unidirectional

nat (inside,any) source static obj-192.168.12.0 obj-192.168.12.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static scLAN scLAN unidirectional

nat (inside,any) source static scLAN scLAN destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,any) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.15.0 obj-192.168.15.0 unidirectional

nat (inside,any) source static obj-192.168.15.0 obj-192.168.15.0 destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_15 DM_INLINE_NETWORK_15 destination static obj-10.14.58.0 obj-10.14.58.0 unidirectional

nat (inside,any) source static obj-10.14.58.0 obj-10.14.58.0 destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0

nat (inside,any) source static DM_INLINE_NETWORK_17 DM_INLINE_NETWORK_17 destination static lao2 lao2

nat (inside,any) source static DM_INLINE_NETWORK_18 DM_INLINE_NETWORK_18 destination static inl inl

nat (inside,inside) source static obj-192.168.15.0 obj-192.168.15.0 destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,inside) source static obj-192.168.15.0 obj-192.168.15.0 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (inside,inside) source static obj-192.168.30.0 obj-192.168.30.0 destination static obj-192.168.15.0 obj-192.168.15.0 unidirectional

nat (inside,outside) source static obj-192.168.0.35 obj-x.x138.226 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (inside,outside) source static obj-192.168.0.35 obj-x.x138.226 service obj-tcp-source-eq-52230 obj-tcp-source-eq-52230

nat (inside,outside) source static obj-192.168.0.30 obj-x.x138.227 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (inside,outside) source static obj-192.168.0.19 obj-x.x138.228 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

nat (inside,outside) source static obj-192.168.0.19 obj-x.x138.228 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (DMZ,outside) source static obj-172.16.100.8 obj-x.x138.231 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (DMZ,outside) source static obj-172.16.100.8 obj-x.x138.231 service obj-tcp-source-eq-22 obj-tcp-source-eq-22

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.10.0 obj-192.168.10.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.11.0 obj-192.168.11.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.0 obj-192.168.0.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (DMZ,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.220 obj-192.168.0.220 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.220 obj-192.168.0.220 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static k192.168.14.0 k192.168.14.0

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.12.0 obj-192.168.12.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-10.14.58.0 obj-10.14.58.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static lao2 lao2 unidirectional

nat (outside,DMZ) source static inl inl destination static obj-172.16.100.0 obj-172.16.100.0

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static inl inl

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.10.0 obj-192.168.10.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.11.0 obj-192.168.11.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.0 obj-192.168.0.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (DMZ,DMZ) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.220 obj-192.168.0.220 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.220 obj-192.168.0.220 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static k192.168.14.0 k192.168.14.0

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.12.0 obj-192.168.12.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-10.14.58.0 obj-10.14.58.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static lao2 lao2 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static inl inl

nat (DMZ,inside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.15.0 obj-192.168.15.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.15.0 obj-192.168.15.0 unidirectional

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.30.0 obj-192.168.30.0

nat (inside,any) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static obj-192.168.12.0 obj-192.168.12.0

nat (inside,any) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static inl inl

nat (inside,outside) source static obj-192.168.0.19 obj-x.x138.228 service tcp6001 tcp6001

nat (inside,outside) source static obj-192.168.0.59 obj-x.x138.229

nat (inside,outside) source static obj-192.168.0.75 obj-x.x138.232

nat (inside,outside) source static obj-192.168.0.72 obj-x.x138.230 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static DM_INLINE_NETWORK_25 DM_INLINE_NETWORK_25

!

object network obj-192.168.0.13

nat (inside,outside) static x.x143.37

object network obj-192.168.0.250

nat (inside,outside) static x.x143.42

object network obj-192.168.0.253

nat (inside,outside) static x.x143.56

object network obj-192.168.0.28

nat (inside,outside) static x.x143.45

object network obj-192.168.0.149

nat (inside,outside) static x.x143.52

object network obj-192.168.0.252

nat (inside,outside) static x.x143.57

object network obj-192.168.0.77

nat (inside,outside) static x.x143.53

object network obj-192.168.0.22

nat (inside,outside) static x.x143.54

object network obj-192.168.0.63

nat (inside,outside) static x.x143.41

object network obj-192.168.0.141

nat (inside,outside) static x.x143.58

object network obj-192.168.0.80

nat (inside,outside) static x.x143.44

object network obj-192.168.0.31

nat (inside,outside) static x.x143.43

object network obj-192.168.0.125

nat (inside,outside) static x.x143.39

object network obj-192.168.0.171

nat (inside,outside) static x.x143.59

object network obj_any

nat (inside,outside) dynamic x.x143.35

object network obj_any-01

nat (DMZ,outside) dynamic x.x143.35

object network obj-172.16.100.7

nat (DMZ,outside) static x.x143.46

object network obj-172.16.100.13

nat (DMZ,outside) static x.x143.50

object network obj-172.16.100.10

nat (DMZ,outside) static x.x143.55

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to rywatters

‎08-23-2011 10:47 AM

Lots of Nats there... some of them have objects so I can really tell which one will cause the failure, however if you dont need the behavior on the inside, you should not have any problems from now on. Let me know if something comes up.

Mike.

Mike
0 Helpful

Go to solution
rywatters
Level 1
Level 1
In response to Maykol Rojas

‎08-29-2011 12:10 PM

Finally found everything over the weekend.  I use WebVPN and AnyConnect with our ASA firewall.  Found that a user was getting connected on AnyConnect but was having problems getting to anything.  Their address getting assigned to them was the same as the address the server was pulling, so when the server was set up the address wasn't pulled from the DHCP pool like it should have been. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card