10-24-2013 03:41 AM - edited 03-11-2019 07:55 PM
Hi
I am supporting a Cisco ASA 5510 that drops internet connection intermittently. when this happens the outpound interface still shows up. A "debug arp" when the problem is occuring shows the following
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-send: arp request built from <FW outside interface IP> <MAC address> for <ISP GW Address> at 46324020
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
arp-req: generating request for <ISP GW Address> at interface OUTSIDE
arp-req: request for <ISP GW Address> still pending
this happens untill i issue "clear arp" after which internet gets restored and this shows
arp-in: response at OUTSIDE from <ISP GW Address> <MAC address> for <FW outside interface IP> <MAC address>
arp-set: added arp OUTSIDE <ISP GW Address> <MAC address> and updating NPs at 46324210
arp-in: resp from <ISP GW Address> for <FW outside interface IP> on OUTSIDE at 46324210
arp-send: sending all saved block to OUTSIDE <ISP GW Address> at 46324210
I have sent this ISP and still say everything is ok on their side.
I have tried adjusting putting a static arp entry which makes things worse; have to reboot the firewall when connection drops
I have tried adjusting arp timeout from default of 14400 to 180 but same problem comes up.
i have also realized i am getting same arp output from internal hosts
arp-req: generating request for 192.168.0.44 at interface USERS
arp-req: request for 192.168.0.44 still pending
arp-req: generating request for 192.168.0.44 at interface USERS
arp-req: request for 192.168.0.44 still pending
arp-req: generating request for 192.168.0.44 at interface USERS
arp-req: request for 192.168.0.44 still pending
arp-req: generating request for 192.168.0.44 at interface USERS
arp-req: request for 192.168.0.44 still pending
arp-send: arp request built from 192.168.0.1 <MAC address> for 192.168.0.35 at 999380
arp-req: generating request for 192.168.0.35 at interface USERS
arp-req: request for 192.168.0.35 still pending
arp-req: generating request for 192.168.0.35 at interface USERS
arp-req: request for 192.168.0.35 still pending
arp-req: generating request for 192.168.0.35 at interface USERS
arp-req: request for 192.168.0.35 still pending
arp-send: arp request built from 192.168.0.1 2c54.2d0c.823f for 192.168.0.44 at 1001380
arp-in: request at USERS from 192.168.0.43 dc0e.a1ea.7953 for 192.168.0.1 ffff.ffff.ffff
arp-in: rqst for me from 192.168.0.43 for 192.168.0.1, on USERS
arp-set: added arp USERS 192.168.0.43 dc0e.a1ea.7953 and updating NPs at 1001430
arp-in: generating reply from 192.168.0.1 2c54.2d0c.823f to 192.168.0.43 dc0e.a1ea.7953
arp-send: arp request built from 192.168.0.1 2c54.2d0c.823f for 192.168.0.35 at 1003380
arp-req: generating request for 192.168.0.44 at interface USERS
arp-req: request for 192.168.0.44 still pending
arp-req: generating request for 192.168.0.44 at interface USERS
arp-req: request for 192.168.0.44 still pending
arp-req: generating request for 192.168.0.44 at interface USERS
arp-req: request for 192.168.0.44 still pending
arp-req: generating request for 192.168.0.44 at interface USERS
arp-req: request for 192.168.0.44 still pending
so am trying to figure out what exactly happens when i "clear arp" that brings connection back?
10-24-2013 06:27 AM
Hi,
When this issue happens what is the content of the arp cache (show arp)? What version of asa code are you running? How is the asa connecting to the rest of the network i.e what switches are connected to the asa?
Thanks
John
10-24-2013 06:42 AM
Hi John
This is the output of "show arp"
FW-01# show arp
OUTSIDE
USERS 192.168.0.101 3c4a.9273.cf9e 0
USERS 192.168.0.44 4c72.b980.5f7e 3
USERS 192.168.0.43 dc0e.a1ea.7953 3
USERS 192.168.0.23 6c3b.e539.a646 3
USERS 192.168.0.20 009c.02a0.783c 6
USERS 192.168.0.34 4c72.b980.260c 21
USERS 192.168.0.37 001e.37d4.0d30 26
USERS 192.168.0.35 082e.5f11.fc49 29
USERS 192.168.0.45 6c62.6dbb.14d3 38
USERS 192.168.0.27 082e.5f14.9e0f 66
USERS 192.168.0.10 000f.fe8b.2c11 187
WIRELESS 192.168.2.30 d420.6d41.c2ce 11
WIRELESS 192.168.2.12 70f1.a174.01ca 31
WIRELESS 192.168.2.24 6c88.1468.e768 33
WIRELESS 192.168.2.11 74e5.4301.c869 45
WIRELESS 192.168.2.10 3859.f919.7288 349
WIRELESS 192.168.2.18 3076.6ff6.35e5 804
FW-01#
As you can see, its a very small network.I noted even when connection is dropped the ARP table still has the ISP GW Entry though error shows pending.
ASA running 8.2(5). I tried upgrading to 8.3 and issue persisted so i downgraded.
The ASA is connected as follows
WS-C2960-24TC-S ============= (sub-int with VLANS)ASA 5510 (dedicated int) =====(Wimax link)======ISP GW (ASR901)
hope this clarified
Thanks
Solomon
10-24-2013 06:53 AM
Hello,
Please follow my instructions and let me know how it goes!!!
Regards,
Jcarvaja
follow me on http://laguiadelnetworking.com
01-07-2015 09:40 PM
Hi Solomon,
I am also facing the same problem with ASA 5510 ( 8.2.5 version). When we are connecting internet link on the ASA after some time ...frequent drops started and then all goes unreachable sudden.
Please let me know how you fixed the problem.
01-07-2015 11:00 PM
Hi
in my case one of the wimax radios from the service provider was not passing arp requests and hence the ISPs 7600 router was not completing its arp table. the ISP agreed to put a manual arp entry in the 7600 mapping our firewalls public IP to the MAC address. later the ISP changed the faulty radio. hope this helps
solomon
01-07-2015 11:48 PM
Thanks Solomon for quick reply.
In my case....we are using wired internet link. ISP has placed a MUX at our location and allocate a port to us on that for connecting it with ASA interface.
01-08-2015 12:00 AM
are you having the exact same problem where when you have intermittent connection, a clear arp solves brings back the connection only for it to drop after some time?
02-16-2015 12:51 AM
Hi, I'm having the same issue, happens every four hours is not more,
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)
Was this issue resolved?
Thanks,
10-24-2013 06:38 AM
Hello Solomon,
First of all what version are you running on the ASA?
My recommendation would be at the time of the problem call the ISP and ask them to check the ARP table of their device and make sure you have an entry for the ASA outside MAC address.
If not there then we now they are loosing it more than often.
When you run a clear arp you are basically forcing the ASA to send an gratitious ARP packet.
Try to add a manually and permanent entry on the ISP side and let us know how it goes,
Regards,
Jcarvaja
follow me on http://laguiadelnetworking.com
10-24-2013 09:02 AM
Julio
troubleshooting with ISP and have established that when link is down there is no ARP entry for our interface, ISP router shows
waiting to see what happens with a static ARP entry
10-24-2013 09:19 AM
Awesome,
Let me know
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: