Announcement

Collapse
No announcement yet.

Asa 5510 arp

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Asa 5510 arp

    Hello everyone,
    I have a problem with a connection to a server located in another network. About 10 users in my LAN use the application on the local computer through which they connects to that server. For two years everything works as it should, however, lately it often happens that the connection to the server permanently lost. Then on the Cisco ASA I do "clear ARP" command and connection is again OK for awhile. I try to specify the IP and MAC address combination to add a static entry to the device ARP cache but without success. How to troubleshoot this?

    Thanks in advance

  • #2
    Re: Asa 5510 arp

    I would verify that the mac-address for the server matches what you see on the ASA's arp cache as I would imagine the ASA is doing proxy-arp for the clients. Also run debug arp on the firewall and clear out the arp-cache and then try to access the server. Before running the debug though I would either do it after hours or log to the buffer as you will probably get a ton of ouput. I am curious to see if the arp request is sent and your just not getting the reply. After traffic goes through the ASA does it go through another router? If so check that routers arp cache and see if you see any entries that say incomplete.

    Also I believe proxy arp is disabled on the ASA by default so you may want to check that as well. There can be some security issues if you do use proxy arp so be aware. If you add a static arp entry it doesnt work?
    Last edited by auglan; 27th May 2010, 14:10.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Asa 5510 arp

      Dear Auglan,

      Thanks for reply,

      -Mac-address of the server matches what I see on the ASA's arp cache
      -I disabled proxy-arp on this interface since is enabled by default
      -When I clear arp imidietly connection to server is OK
      "After traffic goes through the ASA does it go through another router?"
      I dont have access to another router since that other network where this server is located is not in my jurisdiction, but as I said for two years everything works as it should, and nobody change configuration.
      -I add static ARP entry but error is still present.

      Comment


      • #4
        Re: Asa 5510 arp

        If this happens again I would definately look at the arp cache on the ASA and see if the entry shows incomplete. Also I believe that you may need proxy arp on the ASA as if there is a router on the other end between you and the server that router or the server itself would need to resolve layer 3 to layer 2 on the replay back to the host. The only other way if proxy-arp is disabled is to statically assign the arp entries.

        If your seeing the server mac in the ASA's arp cache then that leads me to believe that there is no other device between your ASA and that server. If there was a router or another device you would see that devices mac address as it would be proxy arping for the server but its hard to say as I dont know the layout of the network.

        What I don know is you have an intermittant Layer3 to Layer 2 resolution issue. Could there be another device on the network with the same ip address of the server? Check the logs on the ASA relating to any arp collisions or problems.


        405001
        Error Message %PIX|ASA-4-405001: Received ARP {request | response} collision from
        IP_address/MAC_address on interface interface_name

        This indicates an arp packet was received but the mac address is different than what is in the arp cache.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Asa 5510 arp

          Dear Auglan,

          As far as I know ther is no other devices between ASA from my side and server. Also I look at the arp cache on the ASA and there are no entry shows incomplete and there is no other device in network with the same IP as server. I check the logs on the ASA relating to arp collisions or other problems
          but I cant see anything which would indicate on similiar errors.
          Please advice.

          Comment


          • #6
            Re: Asa 5510 arp

            At this point its hard to say. When this happens do you loose reachability to that side of the network in a whole or just that server? Do users loose reachabillity to it on that side of the network as well? The best thing to do is try and isolate the problem. Have you check the server logs to see if anything is in there. Maybe a bid NIC or cable etc.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment

            Working...
            X