Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA not answering ARP request

I'm sure this is a simple configuration issue but here is my issue:

We are running an HTTPS service on a host that is connected to our DMZ network on our ASA. This host and ASA can communicate just fine. I've created an ACL rule that allows HTTPS traffic from the outside world to the hosts DMZ IP address. I've also created a static NAT for the hosts DMZ IP address to the hosts public IP address. A request from the outside world creates a connection and can be seens via Wireshark on the host. However, a full handshake does not complete.

I see the following on the ASA:

show conn reports

TCP Internet 173.3.X.X:46061 DMZ 10.18.X.X:443, idle 0:00:00, bytes 0, flags SaAB

During this connection in Wireshark on the host I see the HTTPS request coming from the 173.3.X.X address which is followed by the host performing an ARP request asking who owns 173.3.X.X. This is where the communications chain stops. The 173.3.X.X host continues to try to access the site and I see the requests in Wireshark. I see the DMZ host continually request ARP for who owns 173.3.X.X but it never receives a reply.

Other hosts on this DMZ are working with other services (i.e. SMTP) but this one is not.

My ACL is:

access-list Internet_IN extended permit tcp any host 10.18.X.X eq https

My NAT is:

object network PublicServer_NAT4 (which equals 10.18.X.X)

nat (DMZ, Internet) static 24.38.X.X (which is the public IP of this service)

I've also restarted the ASA as I have seen strange issues like this fixed by a reboot in my past.

I'm running ASA v8.3.1.

Any help would be greatly appreciated.



Accepted Solutions

ASA not answering ARP request

Looks like server is not responding should troubleshoot on app level.


ASA not answering ARP request

Looks like server is not responding should troubleshoot on app level.

Community Member

ASA not answering ARP request

Ajay - thank you for your response.

I did solve my problem. It hit me after I posted my discussion (sometimes just saying it outloud helps). Anyway...

It hit me that the NIC shouldn't have been making an ARP request for an IP not on it network. If anything it should have been asking ARP for the MAc of the default gateway.

There was nothing in the configuration of the host that indicated a problem so I simply rebooted the host and everything is working.

CreatePlease to create content