cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

800
Views
0
Helpful
2
Replies
bob.bartlett
Beginner

Has anyone seen this connectivity issue before behind an ASA5510

I have a network with a 2950 C switch set up with 2 Vlans a Data VLAN and a management VLAN.  There are 2 separate uplinks to the ASA, one for each VLAN.  The problem is that servers that are on the Data VLAN periodically drop their connections to eachother you can't ping you can't from one to the other connect to them on ports that they service.  At the same time you see errors in the logs on the ASA saying that Server A on Inside can't connect to Server B on Management.  All the servers are on Inside not management and you can see the server drop out of the ARP table on the other servers or they show the ASA Mac in the ARP entry for the server that cannot be pinged.

1 ACCEPTED SOLUTION

Accepted Solutions
Jon Marshall
Hall of Fame Guru

Bob

Can you post ASA config. Also you may want to consider disabling proxy-arp on the inside and management interfaces.

Jon

View solution in original post

2 REPLIES 2
Jon Marshall
Hall of Fame Guru

Bob

Can you post ASA config. Also you may want to consider disabling proxy-arp on the inside and management interfaces.

Jon

View solution in original post

vilaxmi
Cisco Employee

Probably your ASA inside interface is trying to do a proxy ARP for the destination server in question. Let me give a detailed overview of how it wokrs:-

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface.

In order to avoid such a scenario, please try to disable proxy arp from inside interface of ASA, using the following command :-

ASA(config)# sysopt noproxyarp 

HTH

Vijaya

Content for Community-Ad