Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Has anyone seen this connectivity issue before behind an ASA5510

I have a network with a 2950 C switch set up with 2 Vlans a Data VLAN and a management VLAN.  There are 2 separate uplinks to the ASA, one for each VLAN.  The problem is that servers that are on the Data VLAN periodically drop their connections to eachother you can't ping you can't from one to the other connect to them on ports that they service.  At the same time you see errors in the logs on the ASA saying that Server A on Inside can't connect to Server B on Management.  All the servers are on Inside not management and you can see the server drop out of the ARP table on the other servers or they show the ASA Mac in the ARP entry for the server that cannot be pinged.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Has anyone seen this connectivity issue before behind an ASA

Bob

Can you post ASA config. Also you may want to consider disabling proxy-arp on the inside and management interfaces.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Has anyone seen this connectivity issue before behind an ASA

Bob

Can you post ASA config. Also you may want to consider disabling proxy-arp on the inside and management interfaces.

Jon

Cisco Employee

Re: Has anyone seen this connectivity issue before behind an ASA

Probably your ASA inside interface is trying to do a proxy ARP for the destination server in question. Let me give a detailed overview of how it wokrs:-

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface.

In order to avoid such a scenario, please try to disable proxy arp from inside interface of ASA, using the following command :-

ASA(config)# sysopt noproxyarp 

HTH

Vijaya

746
Views
0
Helpful
2
Replies
CreatePlease to create content