Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1987
Views
0
Helpful
2
Replies

strange behavior on ASA FTD

ciscoworlds
Level 4
Level 4

‎01-11-2018 07:29 AM - edited ‎02-21-2020 07:07 AM

Hi;

 

I faced with a very strange issue on ASA FTD 6.2.2. I have many VMs on a ESXi host on different vlans. but I started to experience reachability issues to those VMs. when I opened those VMs by vSphere Client console, I saw all of them used 169.254.0.0/16 addresses due to address duplication. those machines are in different vlans, even one of them is on the vlan that it's traffic doesn't pass through the ASA FTD device, it just is on the same vlan as one of the ASA FTD's interface. interestingly, error messages on those VMs show their IPs has been taken by a same MAC address which belongs to ASA FTD gig0/1 interface. I have created 3 sub-interfaces on that interface of ASA with static IP addresses and the mentioned MAC address (that VMs reports confliction about) belongs to the g0/1 of ASA FTD.

why ASA FTD claims all of the IPs? I assigned many different IP addresses to VMs, but everytime, I got the same error message stating that all of my VM IPs has been assign to that speciall MAC address (which as I say, belongs to g0/1 interface of ASA). 

 

any idea?!

Labels:
0 Helpful
2 Replies 2

Ajay Saini
Level 7
Level 7

‎01-14-2018 12:59 AM

Hello,

The subinterface might be sharing the mac address of the physical interface. Thats not a problem here though I guess.

 

My guess is that you have some NAT configured on FTD appliance causing the FTD to proxy arp for all the subnets and hence the issue:

 

Ref Link:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/Network_Address_Translation__NAT__for_Threat_Defense.pdf

 

 

-HTH

AJ

 

0 Helpful

ciscoworlds
Level 4
Level 4

‎01-14-2018 06:30 AM

Hi.

 

Actually your're right. I figured it out after publishing the post but didn't managed to delete the post. Anyway, good troubleshooting :)

I had installed Kali Linux on network plus some other Windows devices and configured 2 NAT rules on FTD to pass traffic between all of internal networks intact but trigger when there is traffic toward Internet. The reason for this situation was because I mistakenly enabled Proxy ARP on both Nat rules. Because I had Kali which I don't know how it works yet was sending periodically various packets, this led FTD filling it's NAT table with all of the IP addresses of the DHCP pool. 

I disabled Proxy ARP on the identity NAT rule which passe traffic intact and cleared the arp table on FTD and other clients and everything went ok. 

 

Thank u for your reply. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card