cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14077
Views
0
Helpful
11
Replies

Cisco ASA 5510 drops connection and restores after "clear arp"

solomon
Level 1
Level 1

Hi

I am supporting a Cisco ASA 5510 that drops internet connection intermittently. when this happens the outpound interface still shows up. A "debug arp" when the problem is occuring shows the following

arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-send: arp request built from <FW outside interface IP> <MAC address> for <ISP GW Address> at 46324020
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still  pending

this happens untill i issue "clear arp" after which internet gets restored and this shows


arp-in: response at OUTSIDE from <ISP GW Address> <MAC address> for <FW outside interface IP> <MAC address>
arp-set: added arp OUTSIDE <ISP GW Address> <MAC address> and updating NPs at 46324210
arp-in: resp from <ISP GW Address> for <FW outside interface IP> on OUTSIDE at 46324210
arp-send: sending all saved block to OUTSIDE <ISP GW Address> at 46324210

I have sent this ISP and still say everything is ok on their side.

I have tried adjusting putting a static arp entry which makes things worse; have to reboot the firewall when connection drops

I have tried adjusting arp timeout from default of 14400 to 180 but same problem comes up.

i have also realized i am getting same arp output from internal hosts

arp-req: generating request for 192.168.0.44 at interface USERS

arp-req: request for 192.168.0.44 still  pending

arp-req: generating request for 192.168.0.44 at interface USERS

arp-req: request for 192.168.0.44 still  pending

arp-req: generating request for 192.168.0.44 at interface USERS

arp-req: request for 192.168.0.44 still  pending

arp-req: generating request for 192.168.0.44 at interface USERS

arp-req: request for 192.168.0.44 still  pending

arp-send: arp request built from 192.168.0.1 <MAC address> for 192.168.0.35 at 999380

arp-req: generating request for 192.168.0.35 at interface USERS

arp-req: request for 192.168.0.35 still  pending

arp-req: generating request for 192.168.0.35 at interface USERS

arp-req: request for 192.168.0.35 still  pending

arp-req: generating request for 192.168.0.35 at interface USERS

arp-req: request for 192.168.0.35 still  pending

arp-send: arp request built from 192.168.0.1 2c54.2d0c.823f for 192.168.0.44 at 1001380

arp-in: request at USERS from 192.168.0.43 dc0e.a1ea.7953 for 192.168.0.1 ffff.ffff.ffff

arp-in: rqst for me from 192.168.0.43 for 192.168.0.1, on USERS

arp-set: added arp USERS 192.168.0.43 dc0e.a1ea.7953 and updating NPs at 1001430

arp-in: generating reply from 192.168.0.1 2c54.2d0c.823f to 192.168.0.43 dc0e.a1ea.7953

arp-send: arp request built from 192.168.0.1 2c54.2d0c.823f for 192.168.0.35 at 1003380

arp-req: generating request for 192.168.0.44 at interface USERS

arp-req: request for 192.168.0.44 still  pending

arp-req: generating request for 192.168.0.44 at interface USERS

arp-req: request for 192.168.0.44 still  pending

arp-req: generating request for 192.168.0.44 at interface USERS

arp-req: request for 192.168.0.44 still  pending

arp-req: generating request for 192.168.0.44 at interface USERS

arp-req: request for 192.168.0.44 still  pending

so am trying to figure out what exactly happens when i "clear arp" that brings connection back?

11 Replies 11

johnd2310
Level 8
Level 8

Hi,

When this issue happens what is the content of the arp cache (show arp)? What version of asa code are you running? How is the asa connecting to the rest of the network i.e what switches are connected to the asa?

Thanks

John

**Please rate posts you find helpful**

Hi John

This is the output of "show arp"

FW-01# show arp

        OUTSIDE 4403.a7f9.7458 565

        USERS 192.168.0.101 3c4a.9273.cf9e 0

        USERS 192.168.0.44 4c72.b980.5f7e 3

        USERS 192.168.0.43 dc0e.a1ea.7953 3

        USERS 192.168.0.23 6c3b.e539.a646 3

        USERS 192.168.0.20 009c.02a0.783c 6

        USERS 192.168.0.34 4c72.b980.260c 21

        USERS 192.168.0.37 001e.37d4.0d30 26

        USERS 192.168.0.35 082e.5f11.fc49 29

        USERS 192.168.0.45 6c62.6dbb.14d3 38

        USERS 192.168.0.27 082e.5f14.9e0f 66

        USERS 192.168.0.10 000f.fe8b.2c11 187

        WIRELESS 192.168.2.30 d420.6d41.c2ce 11

        WIRELESS 192.168.2.12 70f1.a174.01ca 31

        WIRELESS 192.168.2.24 6c88.1468.e768 33

        WIRELESS 192.168.2.11 74e5.4301.c869 45

        WIRELESS 192.168.2.10 3859.f919.7288 349

        WIRELESS 192.168.2.18 3076.6ff6.35e5 804

FW-01#

As you can see, its a very small network.I noted even when connection is dropped the ARP table still has the ISP GW Entry though error shows pending.

ASA running 8.2(5). I tried upgrading to 8.3 and issue persisted so i downgraded.

The ASA is connected as follows

WS-C2960-24TC-S ============= (sub-int with VLANS)ASA 5510 (dedicated int) =====(Wimax link)======ISP GW (ASR901)

hope this clarified

Thanks

Solomon

Hello,

Please follow my instructions and let me know how it goes!!!

Regards,

Jcarvaja

follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Solomon,

I am also facing the same problem with ASA 5510 ( 8.2.5 version). When we are connecting internet link on the ASA after some time ...frequent drops started and then all goes unreachable sudden.

 

Please let me know how you fixed the problem.

Hi 

 

in my case one of the wimax radios from the service provider was not passing arp requests and hence the ISPs 7600 router was not  completing its arp table. the ISP agreed to put a manual arp entry in the 7600 mapping our firewalls public IP to the MAC address. later the ISP changed the faulty radio. hope this helps

solomon

 

Thanks Solomon for quick reply.

In my case....we are using wired internet link. ISP has placed a MUX at our location and allocate a port to us on that for connecting it with ASA interface.

 

 

are you having the exact same problem where when you have intermittent connection, a clear arp solves brings back the connection only for it to drop after some time?

Hi, I'm having the same issue, happens every four hours is not more, 

Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)

Was this issue resolved?

Thanks,

 

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Solomon,

First of all what version are you running on the ASA?

My recommendation would be at the time of the problem call the ISP and ask them to check the ARP table of their device and make sure you have an entry for the ASA outside MAC address.

If not there then we now they are loosing it more than often.

When you run a clear arp you are basically forcing the ASA to send an gratitious ARP packet.

Try to add a manually and permanent entry on the ISP side and let us know how it goes,

Regards,

Jcarvaja

follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio

troubleshooting with ISP and have established that when link is down there is no ARP entry for our interface, ISP router shows

   0 Incomplete  ARPA

waiting to see what happens with a static ARP entry

Awesome,

Let me know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: