Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Firewall cannot answer ARP request unexpectedly

My customer has an ASA running 7.2.2, a Cisco 2950 switch and a Cisco 2621XM, the router is located at the outside interface of the ASA, which IP subnet is End users and a FTP client are behind the ASA, that means all the clients are located at the Inside interface, which IP subnet is The 2950 switch has multiple VLAN for different zones for the router and ASA's physical connections.

In this network, all the users need to access the other network through the ASA then router, ASA will perform NAT. There was a static NAT entry to map to, then the same global IP also be the PAT for subnet Firewall policy is permit IP any any.

The problem is that when the users connects to remote site, I can see static & dynamic NAT entries created in NAT table and the traffic is permitted, but the connection status is always "saA" shown in "show conn", until I plug a laptop at the VLAN which is for the outside interface of ASA and the 2621XM, laptop's IP address is 172.16.1.x, all the connections can be created smoothly.

But when I unplug the laptop's network cable, the connection fails again.

Anyway, there is no any IP conflict, my laptop's IP address is not in the scope of ASA's NAT pool.

Community Member

Re: ASA Firewall cannot answer ARP request unexpectedly

I'm unable to puzzle out what might be the problem here. You may need to post a sanitized version of the config.


Re: ASA Firewall cannot answer ARP request unexpectedly

What is the IP address of outside interface of ASA?

Are you able to ping the remote server from ASA itself?

When you say that all connections can be created smoothly after connecting laptop to outside vlan, are these connections from laptop on outside vlan or from hosts on the inside vlan?

I dont see an ARP issue here as when traffic moves outbound through the ASA and hits the router, router will create the ARP entry in its own cache. It seems that return traffic is not coming back to ASA, evidence for this is "saA" connection flags. This means connection was successfully made outbound, however, nothing ever returned back to ASA.

Please check the answers for above questions and keep us posted.



CreatePlease to create content