Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6915
Views
0
Helpful
4
Replies

Force the ASA to send out gratuitous arp.

Cisco Ham
Level 1
Level 1

‎03-21-2014 06:59 AM - edited ‎02-21-2020 05:08 AM

Hello,

I'm currently setting up a new ASA active/standby cluster, it will replace the current PIX cluster that is managed by another company.

The plan is to shutdown the interfaces on the switches where the PIX boxes are connected and activate the switchports where the new ASA's are connected. Sounds easy, but I'm afraid I will get into trouble with the cached ARP entries on the routers and hosts on the network ( and there are lots of them ), they will keep pointing at the mac addresses of the old PIX firewalls until the cached entries time out and that can take a long time.

So, I was wondering if there is a way to force the ASA's to send out a gratuitous arp that would update all the entries in the routers and hosts connected on the network ?

 

Any help would be much appreciated.

 

 

 

 

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-21-2014 08:34 AM

I don't think you can force the ASA directly. A failover event will initiate a gratuitous ARP. So you could failover and get one sent out that way.

I've usually taken the path of clearing the ARP cache on on of the upstream / downstream devices and then pinging the ASA. That will casue those devices to send out an ARP request and the ASA will reply.

0 Helpful

Karsten Iwen
VIP
VIP

‎03-21-2014 08:52 AM

Well, there *is* a way to send a gratious arp. But I'm not sure if that will help you in your situation ...

When you configure an IP address on the interface, a gratious arp is sent for that IP. If you cycle through all IPs that you use for NAT on the interface, then the other devices get updated for all these addresses.

0 Helpful

Cisco Ham
Level 1
Level 1

‎03-30-2014 01:53 AM

Thank you for your answers, I think I'll try the failover. I wonder if it will initiate a gratuitous ARP, after all the secondary asa will take over the IP and MAC addresses of the primary, so in case of the failover nothing really changes that would require a gratuitous to be send out ?

Another thing I was thinking about was to do a ping from the ASA to the broadcast address of each interface, I wonder if that would work.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Cisco Ham

‎03-30-2014 02:18 AM

I wonder if it will initiate a gratuitous ARP, after all the secondary asa will take over the IP and MAC addresses of the primary, so in case of the failover nothing really changes that would require a gratuitous to be send out ?

 

From the standpoint of a host or router that communicates with the ASA, nothing changes. But the secondary ASA is very likely connected to a different switchport then the primary ASA. With the help of the gratious ARP the MAC-table of the switch gets updated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card