Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Force the ASA to send out gratuitous arp.

Hello,

I'm currently setting up a new ASA active/standby cluster, it will replace the current PIX cluster that is managed by another company.

The plan is to shutdown the interfaces on the switches where the PIX boxes are connected and activate the switchports where the new ASA's are connected. Sounds easy, but I'm afraid I will get into trouble with the cached ARP entries on the routers and hosts on the network ( and there are lots of them ), they will keep pointing at the mac addresses of the old PIX firewalls until the cached entries time out and that can take a long time.

So, I was wondering if there is a way to force the ASA's to send out a gratuitous arp that would update all the entries in the routers and hosts connected on the network ?

 

Any help would be much appreciated.

 

 

 

 

4 REPLIES
Hall of Fame Super Silver

I don't think you can force

I don't think you can force the ASA directly. A failover event will initiate a gratuitous ARP. So you could failover and get one sent out that way.

I've usually taken the path of clearing the ARP cache on on of the upstream / downstream devices and then pinging the ASA. That will casue those devices to send out an ARP request and the ASA will reply.

VIP Purple

Well, there *is* a way to

Well, there *is* a way to send a gratious arp. But I'm not sure if that will help you in your situation ...

When you configure an IP address on the interface, a gratious arp is sent for that IP. If you cycle through all IPs that you use for NAT on the interface, then the other devices get updated for all these addresses.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thank you for your answers, I

Thank you for your answers, I think I'll try the failover. I wonder if it will initiate a gratuitous ARP, after all the secondary asa will take over the IP and MAC addresses of the primary, so in case of the failover nothing really changes that would require a gratuitous to be send out ?

Another thing I was thinking about was to do a ping from the ASA to the broadcast address of each interface, I wonder if that would work.

VIP Purple

> I wonder if it will

I wonder if it will initiate a gratuitous ARP, after all the secondary asa will take over the IP and MAC addresses of the primary, so in case of the failover nothing really changes that would require a gratuitous to be send out ?

 

From the standpoint of a host or router that communicates with the ASA, nothing changes. But the secondary ASA is very likely connected to a different switchport then the primary ASA. With the help of the gratious ARP the MAC-table of the switch gets updated.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
931
Views
0
Helpful
4
Replies
CreatePlease login to create content