10-18-2015 10:50 PM - edited 03-11-2019 11:45 PM
Hello
We are in the process of migrating our datacenter switches to nexus family. After swapping the old network devices with new nexus switch, the ASA FW seems to show below messages in the log,
%ASA-4-405001: Received ARP request collision from IPADDR/MACADDR on interface <Interface Name> with existing ARP entry IPADDR/MACADDR
I'm just wondering why the nexus switch is not able to send a "IP arp gratuitous request" to update the ASA arp table as it is by default enabled on all switch interfaces ( including SVIs).
Does "ip arp gratuitous update" will help ?
Thanks in advance for response,
Nishant
10-19-2015 12:43 AM
Hi Nishant,
The syslog message that you are seeing is generated by ASA whenever it sees an ARP packet with a MAC address present in its ARP cache.
This syslog message helps in figuring out if there is any arp spoof attack happening in the network.
In your case this may be generated due to legitimate traffic as you have changed the hardware in the network.
It it possible that the ASA still has stale ARP cache pointing to old hardware address. You can confirm this by checking " show arp " output and verify if there is any stale entry.
To clear arp cache you can use clear arp <interface> <ip>
Hope it helps!!!
Thanks,
R.Seth
Mark the answer as correct if it helps in resolving your query!!!
10-19-2015 10:16 PM
Hi Rishab,
Thanks for your response.
Yea we had the stale entry. And our FW admin said, because of this reason, the new cisco device is not able to send any traffic and it was suggested to clear the arp cache.
Do we have to do this activity whenever there is a change in the hardware? Why cant the "Ip arp gratuitous request" automatically update the arp table on FW with new device mac? Is it the nature of ASA by default?
Regards
Nishant
10-20-2015 12:12 AM
Hi Nishant,
The behaviour that you see on ASA is the way it counter the arp poising attack, where an attacker can spoof the arp packet with wrong IP/MAC information in the arp packet.
So if you change the hardware the in your network, the stale entries will timeout and then new entries will populate the arp cache of the firewall. I would suggest you to clear the arp cache only for the IP address which has new hardware.
Hope it helps!!!
Thanks,
R.Seth
Mark the answer as correct if it helps in resolving your query!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide