09-25-2012 10:17 PM - edited 03-11-2019 04:59 PM
Hi,
We recently changed our service provider which were given a larger block of ip addresses. When we switched the interfaces and started to get everything backup. The ASA that has an outbound connection is receving arp replies for its default gateway from an ASA on the same segement.
However this is the default gateway of our router that has the connection out to the service provider. The ASA doesnt own this ip address, proxyarp is disabled on the outside interface and the ASA doesnt own this ip address nor is it natting this ip.
Here is the output of the arp collision, one ping works but then the ASA response with its reply and this is where the traffic drops:
GDT-LQ-ISE-Staging# arp-in: request at outside from x.x.x.34 c47d.4f3b.8838 for x.x.x.37 0000.0000.0000
ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
arp-req: generating request for x.x.x.33 at interface outside
arp-send: arp request built from x.x.x.46 0024.9780.d449 for x.x.x.33 at 111336060
arp-in: response at outside from x.x.x.33 1cdf.0fdc.f201 for x.x.x.46 0024.9780.d449 (this is the correct)
arp-set: added arp outside x.x.x.33 1cdf.0fdc.f201 and updating NPs at 111336060
arp-in: resp from x.x.x.33 for x.x.x.46 on outside at 111336060
arp-send: sending all saved block to outside x.x.x.33 at 111336060
arp-in: response at outside from x.x.x.33 c47d.4f3b.8838 for x.x.x.46 0024.9780.d449
! <<<<<<<<<<Successful ping
arp-in: collision response received at outside from x.x.x.33/c47d.4f3b.8838 for x.x.x.46 0024.9780.d449
arp-set: added arp outside x.x.x.33 c47d.4f3b.8838 and updating NPs at 111336060
arp-in: resp from x.x.x.33 for x.x.x.46 on outside at 111336060
????
The default gateway is x.x.x.33 (x.x.x.34 and 35 is owned by a failover pair of ASAs our production) the x.x.x.46 is an ASA that I am having problems with.
Here is the config from the production ASAs:
o sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
show run all | inc x.x.x.0
none
show run all | inc x.x.x.46
nothing
show run all | inc x.x.x
name x.x.x.43 abcWeb-EXT
name x.x.x.47 Exchange-EXT
name x.x.x.55 abcFTP-EXT
ip address x.x.x.34 255.255.255.224 standby x.x.x.35
host x.x.x.41
host x.x.x.39
host x.x.x.40
host x.x.x.42
host x.x.x.43
host x.x.x.47
host x.x.x.51
host x.x.x.50
host x.x.x.36
host x.x.x.37
host x.x.x.59
host x.x.x.55
host x.x.x.48
host x.x.x.55
host x.x.x.56
host x.x.x.52
host x.x.x.53
host x.x.x.54
host x.x.x.49
host x.x.x.57
host x.x.x.60
host x.x.x.58
host x.x.x.45
host x.x.x.59
host x.x.x.61
network-object host x.x.x.58
access-list phone-debug extended permit ip host t.t.t.102 host x.x.x.36
access-list phone-debug extended permit ip host t.t.t.102 host x.x.x.37
access-list phone-debug extended permit ip host t.t.t.102 host x.x.x.38
access-list phone-debug extended permit ip host x.x.x.36 host t.t.t.102
access-list phone-debug extended permit ip host x.x.x.37 host t.t.t.102
access-list phone-debug extended permit ip host x.x.x.38 host t.t.t.102
access-list acl-vcecap extended permit ip any host x.x.x.58
access-list acl-vcecap extended permit ip host x.x.x.58 any
nat (dmz1,outside) static x.x.x.55
nat (inside,outside) static x.x.x.41
nat (inside,outside) static x.x.x.39
nat (inside,outside) static x.x.x.40
nat (inside,outside) static x.x.x.42
nat (inside,outside) static x.x.x.43
nat (inside,outside) static x.x.x.51
nat (inside,outside) static x.x.x.50
nat (inside,outside) static x.x.x.36
nat (inside,outside) static x.x.x.37
nat (dmz2,outside) dynamic x.x.x.62 dns
nat (inside,outside) static x.x.x.48
nat (inside,outside) static x.x.x.56
nat (inside,outside) static x.x.x.52
nat (inside,outside) static x.x.x.53
nat (inside,outside) static x.x.x.49
nat (inside,outside) static x.x.x.44
nat (inside,outside) static x.x.x.57
nat (dmz1,outside) static x.x.x.60
nat (dmz1,outside) static x.x.x.58 dns
nat (inside,outside) static x.x.x.54
nat (dmz1,outside) static x.x.x.61
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
record-entry cucm-tftp trustpoint pp_pub_trustpoint address x.x.x.36
record-entry cucm-tftp trustpoint pp_sub_trustpoint address x.x.x.37
address x.x.x.38 interface outside
Tarik Admani
*Please rate helpful posts*
09-27-2012 06:58 AM
Hi Tarik,
I am assuming the outputs you posted are from the .34 ASA, and I see that .46 is doing proxy-arp for the .33 address.
Do you have access to the NAT configuration of the .46 ASA?
Luis
09-27-2012 08:22 AM
Luis,
Thanks for responding, the arp collision was detected on the .46 ASA which is trying to arp for its default gateway (
GDT-LQ-ISE-Staging)
The nat configuration above is from the .34 ASA which is responding to the arp request.
I did some research and the mask is correctly configured and have seen a few issues with other customers, in my error the proxy-arp is defined i missed the double negative.
The question i have is that when an ASA is on a particular segment does it automatically proxy arp the default gateway that it has configured?
As a workaround i added a static arp entry and this has fixed the issue. Just would like to know if you can clarify if the proxy arp behavior extends to not only include global nat ip addresses but does it also encompass the default gateway?
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide