Proxy-ARP disabled in ASA 8.4(3)...or is it?

Tarik Admani · ‎09-25-2012

Hi,

We recently changed our service provider which were given a larger block of ip addresses. When we switched the interfaces and started to get everything backup. The ASA that has an outbound connection is receving arp replies for its default gateway from an ASA on the same segement.

However this is the default gateway of our router that has the connection out to the service provider. The ASA doesnt own this ip address, proxyarp is disabled on the outside interface and the ASA doesnt own this ip address nor is it natting this ip.

Here is the output of the arp collision, one ping works but then the ASA response with its reply and this is where the traffic drops:

GDT-LQ-ISE-Staging# arp-in: request at outside from x.x.x.34 c47d.4f3b.8838 for x.x.x.37 0000.0000.0000

ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

arp-req: generating request for x.x.x.33 at interface outside

arp-send: arp request built from x.x.x.46 0024.9780.d449 for x.x.x.33 at 111336060

arp-in: response at outside from x.x.x.33 1cdf.0fdc.f201 for x.x.x.46 0024.9780.d449 (this is the correct)

arp-set: added arp outside x.x.x.33 1cdf.0fdc.f201 and updating NPs at 111336060

arp-in: resp from x.x.x.33 for x.x.x.46 on outside at 111336060

arp-send: sending all saved block to outside x.x.x.33 at 111336060

arp-in: response at outside from x.x.x.33 c47d.4f3b.8838 for x.x.x.46 0024.9780.d449

! <<<<<<<<<<Successful ping

arp-in: collision response received at outside from x.x.x.33/c47d.4f3b.8838 for x.x.x.46 0024.9780.d449

arp-set: added arp outside x.x.x.33 c47d.4f3b.8838 and updating NPs at 111336060

arp-in: resp from x.x.x.33 for x.x.x.46 on outside at 111336060

????

The default gateway is x.x.x.33 (x.x.x.34 and 35 is owned by a failover pair of ASAs our production) the x.x.x.46 is an ASA that I am having problems with.

Here is the config from the production ASAs:

o sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt radius ignore-secret

no sysopt noproxyarp outside

show run all | inc x.x.x.0

none

show run all | inc x.x.x.46

nothing

show run all | inc x.x.x

name x.x.x.43 abcWeb-EXT

name x.x.x.47 Exchange-EXT

name x.x.x.55 abcFTP-EXT

ip address x.x.x.34 255.255.255.224 standby x.x.x.35

host x.x.x.41

host x.x.x.39

host x.x.x.40

host x.x.x.42

host x.x.x.43

host x.x.x.47

host x.x.x.51

host x.x.x.50

host x.x.x.36

host x.x.x.37

host x.x.x.59

host x.x.x.55

host x.x.x.48

host x.x.x.55

host x.x.x.56

host x.x.x.52

host x.x.x.53

host x.x.x.54

host x.x.x.49

host x.x.x.57

host x.x.x.60

host x.x.x.58

host x.x.x.45

host x.x.x.59

host x.x.x.61

network-object host x.x.x.58

access-list phone-debug extended permit ip host t.t.t.102 host x.x.x.36

access-list phone-debug extended permit ip host t.t.t.102 host x.x.x.37

access-list phone-debug extended permit ip host t.t.t.102 host x.x.x.38

access-list phone-debug extended permit ip host x.x.x.36 host t.t.t.102

access-list phone-debug extended permit ip host x.x.x.37 host t.t.t.102

access-list phone-debug extended permit ip host x.x.x.38 host t.t.t.102

access-list acl-vcecap extended permit ip any host x.x.x.58

access-list acl-vcecap extended permit ip host x.x.x.58 any

nat (dmz1,outside) static x.x.x.55

nat (inside,outside) static x.x.x.41

nat (inside,outside) static x.x.x.39

nat (inside,outside) static x.x.x.40

nat (inside,outside) static x.x.x.42

nat (inside,outside) static x.x.x.43

nat (inside,outside) static x.x.x.51

nat (inside,outside) static x.x.x.50

nat (inside,outside) static x.x.x.36

nat (inside,outside) static x.x.x.37

nat (dmz2,outside) dynamic x.x.x.62 dns

nat (inside,outside) static x.x.x.48

nat (inside,outside) static x.x.x.56

nat (inside,outside) static x.x.x.52

nat (inside,outside) static x.x.x.53

nat (inside,outside) static x.x.x.49

nat (inside,outside) static x.x.x.44

nat (inside,outside) static x.x.x.57

nat (dmz1,outside) static x.x.x.60

nat (dmz1,outside) static x.x.x.58 dns

nat (inside,outside) static x.x.x.54

nat (dmz1,outside) static x.x.x.61

route outside 0.0.0.0 0.0.0.0 x.x.x.33 1

record-entry cucm-tftp trustpoint pp_pub_trustpoint address x.x.x.36

record-entry cucm-tftp trustpoint pp_sub_trustpoint address x.x.x.37

address x.x.x.38 interface outside

Tarik Admani
*Please rate helpful posts*

Luis Silva Benavides · ‎09-27-2012

Hi Tarik,

I am assuming the outputs you posted are from the .34 ASA, and I see that .46 is doing proxy-arp for the .33 address.

Do you have access to the NAT configuration of the .46 ASA?

Luis

Luis Silva

Tarik Admani · ‎09-27-2012

Luis,

Thanks for responding, the arp collision was detected on the .46 ASA which is trying to arp for its default gateway (

GDT-LQ-ISE-Staging)

The nat configuration above is from the .34 ASA which is responding to the arp request.

I did some research and the mask is correctly configured and have seen a few issues with other customers, in my error the proxy-arp is defined i missed the double negative.

The question i have is that when an ASA is on a particular segment does it automatically proxy arp the default gateway that it has configured?

As a workaround i added a static arp entry and this has fixed the issue. Just would like to know if you can clarify if the proxy arp behavior extends to not only include global nat ip addresses but does it also encompass the default gateway?

Thanks,

Tarik Admani
*Please rate helpful posts*