Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
643
Views
0
Helpful
0
Comments

Proxy ARP on Cisco FTD

dhr.tech1
Spotlight
Spotlight
‎09-29-2025 02:44 AM

Summary:

Proxy ARP is enabled by default on all ASA/Firepower interfaces, but it generally comes into effect only when NAT is configured. Under normal circumstances, when traffic flows between a source and destination located behind the same FTD interface, the firewall does not intercept the traffic.

However, if NAT is configured and Proxy ARP remains enabled on the interface, the FTD respond to ARP requests on behalf of a server. This behavior becomes relevant if the server goes down—because in that case, the FTD will still reply to ARP requests for the server’s IP address, potentially leading to  blackholing.

dhrtech1_0-1759137918439.png

Behaviour of Cisco FTD: 

  • You have two servers (Server A and Server B) sitting behind the same interface of a Cisco FTD (Firepower Threat Defense).
  • Server B tries to reach Server A.
  • When Server A goes offline, instead of ARP requests for Server A failing (as would normally happen when the host is down), the FTD itself starts replying to ARP requests on behalf of Server A.

Analysis

  • Cisco TAC confirmed that this is “expected behavior / working as designed”. Suggested to disable the Proxy ARP on the interface to fix the problem.

Reference:

How to disable Proxy ARP: https://youtu.be/81GPYEoy8Ek?si=rS1t48edFmw48or5

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents