cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2776
Views
0
Helpful
4
Replies

Weird ARP issue

patoberli
VIP Advisor VIP Advisor
VIP Advisor

Hello all

I have a very weird ARP issue on my ASA 5585-X SSP10 with software 8.4.6(5).

First the setup:

ASA - VLAN2 - IP 192.168.1.1 Mask 255.255.255.240 (ASA is in routing mode) - MAC 6c20.5658.8764

Second Router (router2) - VLAN2 - IP 192.168.1.14 Mask 255.255.255.240 - MAC 00:19:aa:85:6b:49

Server - VLAN2 - IP 192.168.1.6 Mask 255.255.255.240 - MAC 00:50:56:bd:4e:74

So, we have  Vlan 2 with 3 devices in it. The ASA which is a router, an other router for special traffic and a server (which will redirect the traffic to one of the two routers depending on policy).

The server shows this arp table:

arp -a -i eth1

? (192.168.1.14) at 6c:20:56:58:87:64 [ether] on eth1 (Mac address of ASA and not of router2!!!)

? (192.168.1.1) at 6c:20:56:58:87:64 [ether] on eth1 (Mac address of ASA, ok)

The ASA shows this arp table:

show arp | inc GAES
        GAESTE_OUT 192.168.1.6 0050.56bd.4e74 36 (correct)
        GAESTE_OUT 192.168.1.14 0019.aa85.6b49 156 (correct)

Now the weird stuff.

If I clear the arp table on the server and ping 192.168.1.14, this is what the capture gets:

14:01:47.614577 00:50:56:bd:4e:74 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 42: Request who-has 192.168.1.14 tell 192.168.1.6, length 28
14:01:47.614998 6c:20:56:58:87:64 (oui Unknown) > 00:50:56:bd:4e:74 (oui Unknown), ethertype ARP (0x0806), length 60: Reply 192.168.1.14 is-at 6c:20:56:58:87:64 (oui Unknown), length 46
14:01:47.615332 00:19:aa:85:6b:49 (oui Unknown) > 00:50:56:bd:4e:74 (oui Unknown), ethertype ARP (0x0806), length 60: Reply 192.168.1.14 is-at 00:19:aa:85:6b:49 (oui Unknown), length 46

As you can see, the router2 AND the ASA reply to this arp request! Why is this ASA sending this wrong reply?

Also a capture on the ASA on ARP shows this:

#capture arp ethernet-type arp interface GAESTE_OUT

#show captur arp det

2 packets captured

   1: 14:09:48.597411 0050.56bd.4e74 ffff.ffff.ffff 0x8100 64: 802.1Q vlan#2 P0 arp who-has 192.168.1.14 tell 192.168.1.6
   2: 14:09:48.597610 6c20.5658.8764 0050.56bd.4e74 0x8100 46: 802.1Q vlan#2 P0 arp reply 192.168.1.14 is-at 6c:20:56:58:87:64
2 packets shown

#sh ip add | inc 192.168.1.14

#sh int GAESTE_OUT

Interface GigabitEthernet0/2.2 "GAESTE_OUT", is up, line protocol is up

  Hardware is bcm56801 rev 01, BW 1000 Mbps, DLY 10 usec

        VLAN identifier 2

        Description: VLAN to GAESTE_OUT

        MAC address 6c20.5658.8764, MTU 1500

        IP address 192.168.1.1, subnet mask 255.255.255.240

  Traffic Statistics for "GAESTE_OUT":

        200186428 packets input, 51055961549 bytes

        299581495 packets output, 300211809798 bytes

        447891 packets dropped

I am really confused and wondering if I miss something.

1 Accepted Solution

Accepted Solutions

Jouni Forss
Mentor
Mentor

Hi,

So the ASA is answering for ARP requests that are meant for the Router2 to reply?

Generelly you will avoid this by configuring

sysopt noproxyarp

This will disable the Proxy ARP on the ASA interface. It will still answer to ARP related to the IP address configured on its interface. If you are NATing users to some other IP address other than the interface IP address towards the interface in question then you should not disable Proxy ARP. If you have no such NAT requirements you should be able to safely disable Proxy ARP and avoid ASA answering the ARP request.

I guess the ASA has to have some NAT configuration related to 192.168.1.0/24 that causes it to answer to ARP requests on behalf of some IP address that it doesnt really own.

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
Mentor
Mentor

Hi,

So the ASA is answering for ARP requests that are meant for the Router2 to reply?

Generelly you will avoid this by configuring

sysopt noproxyarp

This will disable the Proxy ARP on the ASA interface. It will still answer to ARP related to the IP address configured on its interface. If you are NATing users to some other IP address other than the interface IP address towards the interface in question then you should not disable Proxy ARP. If you have no such NAT requirements you should be able to safely disable Proxy ARP and avoid ASA answering the ARP request.

I guess the ASA has to have some NAT configuration related to 192.168.1.0/24 that causes it to answer to ARP requests on behalf of some IP address that it doesnt really own.

- Jouni