Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
2
Replies

Has anyone seen this connectivity issue before behind an ASA5510

Go to solution
bob.bartlett
Level 1
Level 1

‎12-23-2009 11:34 AM - edited ‎03-11-2019 09:51 AM

I have a network with a 2950 C switch set up with 2 Vlans a Data VLAN and a management VLAN.  There are 2 separate uplinks to the ASA, one for each VLAN.  The problem is that servers that are on the Data VLAN periodically drop their connections to eachother you can't ping you can't from one to the other connect to them on ports that they service.  At the same time you see errors in the logs on the ASA saying that Server A on Inside can't connect to Server B on Management.  All the servers are on Inside not management and you can see the server drop out of the ARP table on the other servers or they show the ASA Mac in the ARP entry for the server that cannot be pinged.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-23-2009 12:18 PM

Bob

Can you post ASA config. Also you may want to consider disabling proxy-arp on the inside and management interfaces.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-23-2009 12:18 PM

Bob

Can you post ASA config. Also you may want to consider disabling proxy-arp on the inside and management interfaces.

Jon

0 Helpful

Go to solution
vilaxmi
Cisco Employee
Cisco Employee

‎12-25-2009 11:35 PM

Probably your ASA inside interface is trying to do a proxy ARP for the destination server in question. Let me give a detailed overview of how it wokrs:-

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface.

In order to avoid such a scenario, please try to disable proxy arp from inside interface of ASA, using the following command :-

ASA(config)# sysopt noproxyarp 

HTH

Vijaya

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card