05-21-2010 12:52 AM - edited 03-06-2019 11:11 AM
I recently installed a new ASA, connecting a 3750 switch to one of the interfaces. The interface address of the firewall is for example, 192.168.1.1/26.
the switch has several servers on the same subnet, 192.168.1.0/26, yet when I try to connect across from one server to the other (doesn't matter what protocol) performance is so slow that it is almost unusable. Once the devices have connected everything works fine.
I have noticed that on occasion, if I check the arp cache on the switch the server may have taken the mac address of the firewall interface (proxy ?) - I am confused as to why this should happen because in reality, the devices are on the same piece of wire - why would it even look at the firewall interface?
thanks
Keith
Solved! Go to Solution.
05-21-2010 01:11 AM
I recently installed a new ASA, connecting a 3750 switch to one of the interfaces. The interface address of the firewal is for example, 192.168.1.1/26.
the switch has several servers on the same subnet, 192.168.1.0/26, yet when I try to connect across from one server to the other (doesn't matter what protocol) performance is so slow that it is almost unusable. Once the devices have connected everything works fine.
I have noticed that on occasion, if I check the arp cache on the switch the server may have taken the mac address of the firewall interface (proxy ?) - I am confused as to why this should happen because in reality, the devices are on the same piece of wire - why would it even look at the forewall interface?
thanks
Keith
Hi Keith,
I think proxy arp feature is enabled in ASA as Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host.
Try with disabling the feature and see the performance
sysopt noproxyarp (interface name)
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
05-21-2010 01:11 AM
I recently installed a new ASA, connecting a 3750 switch to one of the interfaces. The interface address of the firewal is for example, 192.168.1.1/26.
the switch has several servers on the same subnet, 192.168.1.0/26, yet when I try to connect across from one server to the other (doesn't matter what protocol) performance is so slow that it is almost unusable. Once the devices have connected everything works fine.
I have noticed that on occasion, if I check the arp cache on the switch the server may have taken the mac address of the firewall interface (proxy ?) - I am confused as to why this should happen because in reality, the devices are on the same piece of wire - why would it even look at the forewall interface?
thanks
Keith
Hi Keith,
I think proxy arp feature is enabled in ASA as Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host.
Try with disabling the feature and see the performance
sysopt noproxyarp (interface name)
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
05-21-2010 01:15 AM
Hi Ganesh,
I thought this might be the problem so I disabled proxy arp on the interface. This created more problems because I have NAT configured - as soon as I disabled the proxxy feature, my NAT configurations were broken.
thanks
Keith
05-21-2010 02:10 AM
Hi Ganesh
I have noticed on the 3750switch the following output if I deb ip routing static
Path = 2 3 5 7, route table no change, recursive flag clear
do you know what hte numbers are that follow the path statement ?
regards
Keith
05-21-2010 10:33 AM
Hi Ganesh
I have noticed on the 3750switch the following output if I deb ip routing static
Path = 2 3 5 7, route table no change, recursive flag clear
do you know what hte numbers are that follow the path statement ?
regards
Keith
Hi Keith,
Can you paste the output what you want to convey and proxy arp is configured in firewall so firewall will intercept the packet for every arp reply and check out the below link on proxy arp on firewall.
https://supportforums.cisco.com/docs/DOC-3155
Hope to Help !!
Ganesh.H
05-22-2010 01:53 AM
Ganesh - does this just relate to PIX ver 6.0? I am using an ASA5510 with ver 8.0(4)
does this still apply?
05-23-2010 06:30 AM
Ganesh - does this just relate to PIX ver 6.0? I am using an ASA5510 with ver 8.0(4)
does this still apply?
Keith,
Sorry that link is for Pix ver 6, but any how check out the below link for Troubleshoot Connectivity through the Cisco Security Appliance
http://72.163.4.161/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml
Hope to Help !!
Ganesh.H
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: