ASA Firewall cannot answer ARP request unexpectedly

Unanswered Question
Jul 9th, 2007

My customer has an ASA running 7.2.2, a Cisco 2950 switch and a Cisco 2621XM, the router is located at the outside interface of the ASA, which IP subnet is End users and a FTP client are behind the ASA, that means all the clients are located at the Inside interface, which IP subnet is The 2950 switch has multiple VLAN for different zones for the router and ASA's physical connections.

In this network, all the users need to access the other network through the ASA then router, ASA will perform NAT. There was a static NAT entry to map to, then the same global IP also be the PAT for subnet Firewall policy is permit IP any any.

The problem is that when the users connects to remote site, I can see static & dynamic NAT entries created in NAT table and the traffic is permitted, but the connection status is always "saA" shown in "show conn", until I plug a laptop at the VLAN which is for the outside interface of ASA and the 2621XM, laptop's IP address is 172.16.1.x, all the connections can be created smoothly.

But when I unplug the laptop's network cable, the connection fails again.

Anyway, there is no any IP conflict, my laptop's IP address is not in the scope of ASA's NAT pool.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vitripat Tue, 07/10/2007 - 11:00

What is the IP address of outside interface of ASA?

Are you able to ping the remote server from ASA itself?

When you say that all connections can be created smoothly after connecting laptop to outside vlan, are these connections from laptop on outside vlan or from hosts on the inside vlan?

I dont see an ARP issue here as when traffic moves outbound through the ASA and hits the router, router will create the ARP entry in its own cache. It seems that return traffic is not coming back to ASA, evidence for this is "saA" connection flags. This means connection was successfully made outbound, however, nothing ever returned back to ASA.

Please check the answers for above questions and keep us posted.




This Discussion