Proxy ARP issues

Unanswered Question
Jun 22nd, 2009
User Badges:

Hi,


I am experiencing an issue with Proxy ARP in my network, but only for one server.


Our DG on our netowrk is an ASA 8.0(3) that has Proxy ARP enabled due to allocating a portion of the same internal range to remote hosts.

I have one server on the network that is uncontactable, again on the same range, due to the ASA replying to the ARP request.

With the ARP on my machine flushed, pinging the server gets a reply on the first ping, then times out. Looking at an ethertrace from my machine, the server replies first, hence the successful response and then the ASA replies a couple of ms later causing the ping to fail and the server to become uncontactable.

At the moment the only way I can get round this is to put a static ARP entry on my machine and any other that wants to hit this server.

I have put a static entry in the ASA and not selected the PROXY ARP check box, but this makes no difference.


Interestingly, if I leave a constant ping going the server eventually responds, but periodically (randomly) falls off of the network for a random amount of time.


Any ideas?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 06/23/2009 - 00:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Andrew,


>> Interestingly, if I leave a constant ping going the server eventually responds, but periodically (randomly) falls off of the network for a random amount of time.


this should happen when the ARP entry expires in its (host's) table.


>> With the ARP on my machine flushed, pinging the server gets a reply on the first ping, then times out.


the correct ARP entry is overriden by another device the ASA.


>> I have put a static entry in the ASA and not selected the PROXY ARP check box, but this makes no difference.


All the other hosts that need to reach the affected server need the static entry this is a high price to pay.



>> to allocating a portion of the same internal range to remote hosts.


This is the root cause of the problems use different IP subnets on remote sites and you will get the right fix because issues like this can arise in the near future.

So a network design review is recommended.


Hope to help

Giuseppe


Wantser1981_2 Tue, 06/23/2009 - 01:07
User Badges:

Thanks Giuseppe,


The points you have raised I have already come to those conclusions. What we cannot do is redesign the network because of one server.

I guess my question is, how can I stop the ASA Proxy arping for a particular address?

It is most odd that this is only form one server, when we have many on the LAN that do not experience this issue.


It maybe that I need to add a static entry to the switches so that the resolution is known and the broadcast is not required.



Thanks


Andrew

Giuseppe Larosa Tue, 06/23/2009 - 03:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Andrew,

each IP host has its own ARP table and so you would an ARP static entry on each device.

Adding the entry on the switches is not enough unless they are the gateways for the server.

This would fix communications coming from another IP subnet.


The ASA can be configured with proxy ARP disabled or enabled but not to add an exception to Proxy ARP.


Hope to help

Giuseppe


Actions

This Discussion