07-05-2017 05:05 AM - edited 03-08-2019 11:12 AM
Dear all,
We have an asa5525x series and 2 CISCO 10Gb switch SAG350XG-2F10,
problem in our enviroment is that new servers get apipa, we solve this by edit the register and add the dword ArpRetryCount
Problem is that we have a deep sec DSVA in our vm enviroment wich has the same APIPA problem but how do I solve this in the DSVA..?
thanks for al the reply..
best regards
Sjef
07-05-2017 05:27 AM
I read there was a Cisco problem and gave the command on the switch and asa
# no ip arp gratuitous
commands where not accepted by the cisco ios,..do I do something wrong
07-06-2017 11:23 AM
Hello,
you need to be in global configuration mode:
Switch#conf t
Switch(config)#no ip arp gratuitous
That said, and I am not sure if I understand your problem correctly, if you want to keep clients from getting an APIPA address, you could configure an arp access list (below is an example):
arp access-list VLAN_5
permit ip 169.254.0.0 0.0.255.255 mac any
ip arp inspection filter VLAN_5 vlan 5
07-10-2017 12:32 AM
Georg,
the switch says, unknown command
Are you shure this works on all cisco switches..
07-10-2017 04:22 AM
Hello,
my bad, the SG350X has a stripped down, very limited command set. Would disabling gratuitous ARP on the ASA solve your issue ? The command is:
sysopt noproxyarp inside
07-12-2017 01:37 AM
Thanks Georg,
Should I give the command outside production hours, or will there be no impact
thanks in advance
Sjef
07-12-2017 04:25 AM
Hello Sjef,
I would do this outside of production just to be sure. Keep in mind that proxy ARP is a useful defense against ARP spoofing and Man-in-the-Middle attacks, so be careful when you turn it off.
Hopefully that resolves your issue...
07-13-2017 12:30 AM
Georg,
I gave the command , ASA accepted , but when I connect a new server APIPA comes in again,...
Do you have any options..
best regards
07-13-2017 12:56 AM
07-14-2017 04:28 AM
hello,
thanks for the info, i have installed wireshark on a vm in the network and set the filter to,
arp.opcode==2 && arp.dst.proto_ipv4==0.0.0.0
but nothing comes up,...nothing to filter as if not there...?
07-14-2017 05:26 AM
Hello,
not sure why you are not seeing any packets...
Back to the original problem (APIPA), do you have:
spanning-tree portfast
enabled on the switch ports where the servers are connected to ?
07-16-2017 11:43 PM
Georg,
I dont see anything in the config saying the spanning tree portfast is enabled.
So , no I dont think so..
07-17-2017 12:00 AM
Hello,
the idea is that without spanning tree portfast enabled, the port takes about 40 seconds to become active, which usually causes a timeout to the connection with the DHCP server, and might be the reason you get the APIPA address. Enable portfast on the ports and check if you still get APIPA.
07-17-2017 12:15 AM
hello,
Can I enable the portfast for the switch during production , ..
Or should I wait for production to finish
thanks in advance
07-17-2017 12:26 AM
Hello,
after hours again is recommended. Actually, configure spanning-tree portfast, then disconnect and reconnect the server, that way, you will immediately see if or not you still get APIPA.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: