Thank you for the reply. Yes they are all on Vlan 1 and their IP are from the same subnet. While I get the timeouts on the server I can still see the mac address on the port that it links to. From my office which comes in through the router in the diagram I am still able to remote to the server, and ping it, it seems that it is only affecting some of the users in that building. What I have done is to clear the arp-cache on the switch but still get the problem. I will have a look at the servers arp table when it gets timesout again.

Ok I did have a look in our tooling servers arp table when the server is replying and the IP and MAC is correct for the server. As soon as it started to timeout I had a look again,  and the mac in the arp table point to the firewall! I have read on another forum about a command on the firewall that needs to be enabled: sysopt noproxyarp inside. I am not clued up on firewalls if someone can enlighten me please.

Thank you.

Hello Natius,

This command disables proxy ARP for NAT global addresses on an interface. Proxy ARP is usefull when the firewall is implenting NAT. Proxy ARP responds to ARP requests for the global addresses defined on a firewall interface. For example, if I define a global pool with two addresses (80.80.80.20 and 80.80.80.21) in the outside interface, the proxy ARP will respond to the ARP's requests directed to these IP addresses from the outside interface.

In your case, It seems a problem in the NAT definition. If NAT is OK, I think you will can disable ARP cache on the local interface.

A ARP proxy cache better explanation:

http://www.cisco.com/en/US/docs/security/pix/pix52/firewall/configuration/guide/commands.html

"The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).

The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses

To disable Proxy ARPs on the inside interface:

sysopt noproxyarp inside.

To enable Proxy ARPs on the inside interface:

no sysopt noproxyarp inside."

Best regards,

César.

The thing about this firewall is, the servers and hosts in the building is not supposed to go through the firewall, it was installed to seperate a control network from the office network. It does have an IP on the office VLAN though. Would that make a difference?

Hi,

I hope this issue is occuring due to sysopt noproxyarp interface name command is missing in firewall or some host based routes are there in any of your servers.

The reason being that, whenever the host want to know the destination it will used to send the ARP message,then destination will response with its own MAC address.

Proxy ARP allows the security appliance to reply to an ARP request             on behalf of hosts behind it. It does this by replying to ARP requests for the             static mapped addresses of those hosts. The security appliance responds to the             request with its own MAC address and then forwards the IP packets on to the             appropriate inside host.

ciscoasa(config)#no sysopt noproxyarp outside

Try to configure this in your firewall... the issue will be resolved

Regards

Karuppu

Can you check the firewall NAT configuration? It seems like the Firewall is replying with the server IP address. A possible cause is having the IP server address defined in the Firewall NAT global pool.