Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Forever changing MAC addresses!

We are having an issue with a connection to a partner network. We have two Pix firewalls in Active/Standby mode (running 6.3(3)), the partner has two Pix 506E installed on our site that link back to their network. There are two cisco switches in between the firewalls with no special security features enabled on any of the ports. All devices are on a single subnet.

We have no view of their configuration and they will not discuss the configuration on their firewalls. They simply say that the same configuration works at other sites.

The problem we have is that FTP stops working every so often (approx 4 hrs) and we can only get it going again by clearing the arp cache. See below.

! FTP not working ARP cache

show arp

int_partner XXX.XXX.1.1 000d.8811.7e52

int_partner XXX.XXX.1.99 0016.c827.6673 <--

int_partner XXX.XXX.1.88 0016.c827.65f8 <--

int_partner XXX.XXX.1.2 000f.8f1c.81c0

int_partner XXX.XXX.1.3 000f.8f1c.7d80


Clear ARP

ping XXX.XXX.1.88

ping XXX.XXX.1.99

show arp

! FTP working ARP cache

int_partner XXX.XXX.1.1 000d.8811.7e52

int_partner XXX.XXX.1.99 0016.c827.65f8 <--

int_partner XXX.XXX.1.88 0016.c827.6673 <--

int_partner XXX.XXX.1.3 000f.8f1c.7d80

int_partner XXX.XXX.1.2 000f.8f1c.81c0


As can be seen the .88 & .99 IP addresses have swapped MAC addresses. This is not normal behavour on networks and I believe it is caused by their internal routing through the firewalls. The .88 & .99 addresses are nat'ed addresses because the same MACs are shown with their firewalls interface IP addresses.

Because they will not do anything with the configuration at their end, can anyone suggest any ways of limiting the effects of the problem.

I can lower the ARP cache timeout, but I need to be able to clear the arp cache or at least do something to up date the cache at regular intervals with the changed MACs. I would like to try use the RTR command but this isn't available on 6.3 and upgrading isn't currently possible.

Any ideas?



Re: Forever changing MAC addresses!

The "arp timeout" command specifies the duration to wait before the ARP table rebuilds itself, automatically updating new host information. This feature is also known as the ARP persistence timer. The no arp timeout command resets the ARP persistence timer to its default value. The show arp timeout command displays the current timeout value.Set the arp timeout to a alower value so that the arp table is refreshed at regular intervals which solves the issue.

Refer the following url for more information about the arp timeout command:

CreatePlease to create content