11-08-2022 03:44 AM
Hey! Currently working on FTD 1120 which is managed by FDM, and my query is.
FDM-6.6.1-91 VDB-336.0
- Configured Two ISP links on FDM with sla monitor.
-Basic configuration one access-list for Lan users to access internet and Nat policy which is in auto nat with dynamic.
-everything is working fine for certain time and after that lan users are not able to access internet after checking logs observed that ARP cache is getting filled. when i clear arp table manually then again started working. Please explain for this type of behaviour.
Note: LAN user is directly connected to FW, no n/w devices are their b/w firewall and Lan.
Solved! Go to Solution.
12-05-2022 12:04 PM
Hi Mani,
I would say verify the interface status and then check ARP status.
Also clear arp entry and take captures to verify if there is any MAC in particualr thats causing the issue.
As a temporary solution you can configure static ARP.
There could be many reasons that could cause this issue. - incorrect config issue, proxy arp config issue, ARP cahce timeout value etc.
Try to take captures, and see the behaviour. If the issue still persists maybe try to take help from TAC and trouleshoot further.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------
Reagrds
Divya Jain
12-05-2022 09:47 AM
When you look at the arp cache, do you see a bunch of the same MAC addresses? I've seen this in the past, where a device was proxy arping for everything. If this is the case, track down what is doing the proxy arp.
12-05-2022 11:04 AM
you use nat without add keyword no proxy arp
add this keyword and everything will be fine.
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html
12-05-2022 12:04 PM
Hi Mani,
I would say verify the interface status and then check ARP status.
Also clear arp entry and take captures to verify if there is any MAC in particualr thats causing the issue.
As a temporary solution you can configure static ARP.
There could be many reasons that could cause this issue. - incorrect config issue, proxy arp config issue, ARP cahce timeout value etc.
Try to take captures, and see the behaviour. If the issue still persists maybe try to take help from TAC and trouleshoot further.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------
Reagrds
Divya Jain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide