Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2008
Views
0
Helpful
4
Replies

No ping between host in the same subnet

crisser1977
Level 1
Level 1

ā€Ž10-08-2013 08:46 AM - edited ā€Ž03-11-2019 07:48 PM

Hello,

I have a question about the ASA and the ARP traffic in IOS 9.1.2 for ASA 5585-X and multicontext. I have discovered a curious behaviour about the traffic ARP in the my CLUSTER of ASA's. When I try to send a ping between host in the  same subnet and these host have as Gateway the interface of the ASA (ASA is his router) don't works, if I mark the check to enable the comunications between host connected to the same interface this cotinues without work. The only way to get my aim (ping between host), I need to implement and Access Rule allowing the traffic IP between my origin network and destination the same network.

I think that this is some feature of ASA that filter the ARP Request but I don't understand!!! Can I help me, please?

Thanks.

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

ā€Ž10-08-2013 08:55 AM

Hi,

The ASA does use Proxy ARP by default to answer ARP requests.

I guess this should only happen if there is some NAT configurations which makes the ASA reply to ARP requests (because of mapped/NAT address configured) even though it really doesnt own the IP address.

Though I could swear that I have had environments with very simple NAT configuration and still expirience problems with ASAs Proxy ARP.

If you want to disable Proxy ARP on some ASA interface then you can use the following command

sysopt noproxyarp

Hope this helps

- Jouni

0 Helpful

lcambron
Level 3
Level 3

ā€Ž10-08-2013 05:31 PM

Hello Cristian,

Can you run wireshark on your PC and see what the destination MAC is when you try to ping?

Or just check the arp table on the PC and see what is the MAC associated with the destination IP.

If the hosts are on the same network, then this should not go thru the ASA.

If the destination MAC is the ASA's, then it sounds like proxyarp issue like Jouni stated, you can disable it to test, clear arp on the PC and try again.

Regards,

Felipe.

0 Helpful

crisser1977
Level 1
Level 1
In response to lcambron

ā€Ž10-09-2013 12:31 AM

Hi Felipe,

I revised this but unfortunatelly don't work, I'm sure that the problem is in the ARP but I don't find the reason... I don't untderstand "jouni stated" What do you say?

Thanks.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to crisser1977

ā€Ž10-09-2013 12:47 AM

Hi,

Your firewall should not see any traffic between the hosts on the same subnet.

If it is seeing traffic between the hosts then its likely that Proxy ARP on the ASA is the problem. Proxy ARP is enabled on the ASA by default on all interfaces. This essentially means that when the host connecting to the other host on the same subnet sends an ARP request the ASA might reply to that ARP request instead of the actual destination host. This is why traffic might get forwarded to the ASA instead of the actual host.

If you want to disable the Proxy ARP on some ASA interface then you can use

sysopt norpoxyarp

Where you replace the with the actual name you have given to the interface on the ASA. This disables the Proxy ARP

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card