Firewall starts randomly responding to ARP requests for other IPs

Answered Question
Aug 23rd, 2011

I have my firewall on IP 192.168.0.1 (for example, real IP is a class C address).  I have a web server (Ubuntu 10.04, though this happened before with an 8.04 box as well) on ip 192.168.0.101.  Everything will be functioning fine, and I won't have any issues for a while.  Then, randomly I'll have problems getting to my web server, getting disconnected from SSH sessions.  I go to one of my linux boxes and do an "arping -b 192.168.0.101" and I will get  two responses, one from my firewall and one from the box, as illustrated below.  The only way to correct the issue that I've run into is to reload the firewall, which will then behave properly again until it randomly decides to start answering ARP requests on the other IP again.

nwiadmin@vm-test-lx:~$ arping -b if-webdevint4-lx
WARNING: interface is ignored: Operation not permitted
ARPING 192.168.0.101 from 192.168.0.168 eth0
Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.309ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.434ms
Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.280ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.377ms
Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.129ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.221ms
Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  1.839ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.934ms
Sent 4 probes (4 broadcast(s))
Received 8 response(s)

Reloaded firewall

nwiadmin@vm-test-lx:~$ arping -b if-webdevint4-lx
WARNING: interface is ignored: Operation not permitted
ARPING 192.168.0.101 from 192.168.0.168 eth0
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.839ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.935ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.758ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.733ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  9.568ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.931ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.283ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.756ms
Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.070ms
Sent 9 probes (9 broadcast(s))
Received 9 response(s)

I have this problem too.
0 votes
Correct Answer by mayrojas about 2 years 8 months ago

Hi,

There is a feature called proxy ARP on the ASA firewall that causes the ASA to respond for ARP request if it has a NAT configured.

Most likely this is caused by an static (inside,inside) with the same subnet twice, an outside NAT etc. Would you please paste your NAT configuration?

Other thing that you can do is to disable proxy arp on the inside interface to make the firewall stop doing that. Here is how you do it:

ciscoasa(config)# sysopt noproxyarp inside

Hope this helps.

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
varrao Tue, 08/23/2011 - 10:25

Hi,

What happens on the firewall, due you see the arp entry there for the host??? If no can you assign a static arp to your server and monitor it for a while.

Thanks,

Varun

Correct Answer
mayrojas Tue, 08/23/2011 - 10:26

Hi,

There is a feature called proxy ARP on the ASA firewall that causes the ASA to respond for ARP request if it has a NAT configured.

Most likely this is caused by an static (inside,inside) with the same subnet twice, an outside NAT etc. Would you please paste your NAT configuration?

Other thing that you can do is to disable proxy arp on the inside interface to make the firewall stop doing that. Here is how you do it:

ciscoasa(config)# sysopt noproxyarp inside

Hope this helps.

Mike

rywatters Tue, 08/23/2011 - 10:41

I just switched on sysopt noproxyarp inside as I really shouldn't need that sort of behavior, and I've got it documented if any other issues come up.  My NAT config is sanitized and included below, but is fairly messy.  I need time to clean up all my configs, but it's IT....  Never enough time.

nat (DMZ,any) source static obj-172.16.100.0 obj-172.16.100.0 destination static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20

nat (outside,outside) source static obj-192.168.30.10 obj-192.168.30.10 destination static obj-192.168.15.0 obj-192.168.15.0

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.11.0 obj-192.168.11.0

nat (inside,any) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static obj-192.168.30.0 obj-192.168.30.0

nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static obj-192.168.10.0 obj-192.168.10.0

nat (inside,any) source static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 destination static obj-192.168.11.0 obj-192.168.11.0

nat (inside,any) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 destination static k192.168.14.0 k192.168.14.0

nat (inside,any) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.192 obj-192.168.0.192 unidirectional

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.192 obj-192.168.0.192 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_13 DM_INLINE_NETWORK_13 destination static k192.168.14.0 k192.168.14.0

nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11

nat (inside,any) source static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 destination static saLAN saLAN unidirectional

nat (inside,any) source static saLAN saLAN unidirectional

nat (inside,any) source static obj-192.168.12.0 obj-192.168.12.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static scLAN scLAN unidirectional

nat (inside,any) source static scLAN scLAN destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,any) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.15.0 obj-192.168.15.0 unidirectional

nat (inside,any) source static obj-192.168.15.0 obj-192.168.15.0 destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,any) source static DM_INLINE_NETWORK_15 DM_INLINE_NETWORK_15 destination static obj-10.14.58.0 obj-10.14.58.0 unidirectional

nat (inside,any) source static obj-10.14.58.0 obj-10.14.58.0 destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0

nat (inside,any) source static DM_INLINE_NETWORK_17 DM_INLINE_NETWORK_17 destination static lao2 lao2

nat (inside,any) source static DM_INLINE_NETWORK_18 DM_INLINE_NETWORK_18 destination static inl inl

nat (inside,inside) source static obj-192.168.15.0 obj-192.168.15.0 destination static obj-172.16.100.0 obj-172.16.100.0 unidirectional

nat (inside,inside) source static obj-192.168.15.0 obj-192.168.15.0 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (inside,inside) source static obj-192.168.30.0 obj-192.168.30.0 destination static obj-192.168.15.0 obj-192.168.15.0 unidirectional

nat (inside,outside) source static obj-192.168.0.35 obj-x.x138.226 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (inside,outside) source static obj-192.168.0.35 obj-x.x138.226 service obj-tcp-source-eq-52230 obj-tcp-source-eq-52230

nat (inside,outside) source static obj-192.168.0.30 obj-x.x138.227 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (inside,outside) source static obj-192.168.0.19 obj-x.x138.228 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

nat (inside,outside) source static obj-192.168.0.19 obj-x.x138.228 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (DMZ,outside) source static obj-172.16.100.8 obj-x.x138.231 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (DMZ,outside) source static obj-172.16.100.8 obj-x.x138.231 service obj-tcp-source-eq-22 obj-tcp-source-eq-22

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.10.0 obj-192.168.10.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.11.0 obj-192.168.11.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.0 obj-192.168.0.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (DMZ,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.220 obj-192.168.0.220 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.220 obj-192.168.0.220 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static k192.168.14.0 k192.168.14.0

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.12.0 obj-192.168.12.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-10.14.58.0 obj-10.14.58.0 unidirectional

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static lao2 lao2 unidirectional

nat (outside,DMZ) source static inl inl destination static obj-172.16.100.0 obj-172.16.100.0

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static inl inl

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.10.0 obj-192.168.10.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.11.0 obj-192.168.11.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.0 obj-192.168.0.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.30.0 obj-192.168.30.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.13.0 obj-192.168.13.0 unidirectional

nat (DMZ,DMZ) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.220 obj-192.168.0.220 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.0.220 obj-192.168.0.220 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static k192.168.14.0 k192.168.14.0

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.12.0 obj-192.168.12.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-10.14.58.0 obj-10.14.58.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static lao2 lao2 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static inl inl

nat (DMZ,inside) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.15.0 obj-192.168.15.0 unidirectional

nat (DMZ,DMZ) source static obj-172.16.100.0 obj-172.16.100.0 destination static obj-192.168.15.0 obj-192.168.15.0 unidirectional

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.30.0 obj-192.168.30.0

nat (inside,any) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static obj-192.168.12.0 obj-192.168.12.0

nat (inside,any) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static inl inl

nat (inside,outside) source static obj-192.168.0.19 obj-x.x138.228 service tcp6001 tcp6001

nat (inside,outside) source static obj-192.168.0.59 obj-x.x138.229

nat (inside,outside) source static obj-192.168.0.75 obj-x.x138.232

nat (inside,outside) source static obj-192.168.0.72 obj-x.x138.230 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (DMZ,outside) source static obj-172.16.100.0 obj-172.16.100.0 destination static DM_INLINE_NETWORK_25 DM_INLINE_NETWORK_25

!

object network obj-192.168.0.13

nat (inside,outside) static x.x143.37

object network obj-192.168.0.250

nat (inside,outside) static x.x143.42

object network obj-192.168.0.253

nat (inside,outside) static x.x143.56

object network obj-192.168.0.28

nat (inside,outside) static x.x143.45

object network obj-192.168.0.149

nat (inside,outside) static x.x143.52

object network obj-192.168.0.252

nat (inside,outside) static x.x143.57

object network obj-192.168.0.77

nat (inside,outside) static x.x143.53

object network obj-192.168.0.22

nat (inside,outside) static x.x143.54

object network obj-192.168.0.63

nat (inside,outside) static x.x143.41

object network obj-192.168.0.141

nat (inside,outside) static x.x143.58

object network obj-192.168.0.80

nat (inside,outside) static x.x143.44

object network obj-192.168.0.31

nat (inside,outside) static x.x143.43

object network obj-192.168.0.125

nat (inside,outside) static x.x143.39

object network obj-192.168.0.171

nat (inside,outside) static x.x143.59

object network obj_any

nat (inside,outside) dynamic x.x143.35

object network obj_any-01

nat (DMZ,outside) dynamic x.x143.35

object network obj-172.16.100.7

nat (DMZ,outside) static x.x143.46

object network obj-172.16.100.13

nat (DMZ,outside) static x.x143.50

object network obj-172.16.100.10

nat (DMZ,outside) static x.x143.55

mayrojas Tue, 08/23/2011 - 10:47

Lots of Nats there... some of them have objects so I can really tell which one will cause the failure, however if you dont need the behavior on the inside, you should not have any problems from now on. Let me know if something comes up.

Mike.

rywatters Mon, 08/29/2011 - 12:10

Finally found everything over the weekend.  I use WebVPN and AnyConnect with our ASA firewall.  Found that a user was getting connected on AnyConnect but was having problems getting to anything.  Their address getting assigned to them was the same as the address the server was pulling, so when the server was set up the address wasn't pulled from the DHCP pool like it should have been. 

Actions

Login or Register to take actions

This Discussion

Posted August 23, 2011 at 10:07 AM
Stats:
Replies:5 Avg. Rating:4
Views:5845 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446