Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
0
Helpful
1
Replies

Does the ASA issue a gratiutous ARP for connected VPN clients when using the group policy VLAN command?

brian.kwitchoff
Level 1
Level 1

‎04-11-2012 09:28 AM

I understand how to seperate VPN clients to specifc tunnel groups and to a specfic VLAN on the inside, but if I have multiple groups and VLAN's with overlapping routes that point to seperate FW's, can I avoid the use of internal facing routes (since there is only one routing table) and just let the ASA dump the traffic into the specified VLAN and let gratuitous ARP entries (via static NAT) on the FW, that is on the same VLAN, take it from there?  On the return path, does the ASA issue a gratuitous ARP on the specified VLAN when the VPN client connects and is assigned a DHCP IP?  I cannot find any clear documentation on this but it seems to make sense that this is what happens.

group-policy test2 attributes
  vlan ??  "Specify the VLAN onto which VPN traffic for this group will be forwarded."

Labels:
0 Helpful
1 Reply 1

randallwebb1976
Level 1
Level 1

‎07-26-2012 10:17 AM

I am having a similiar issue as well.

I currently have two ASA's in a cluster to provide VPN connectivity. For simplicity lets call them ASA-1 and ASA-2. IP addresses are being assigned using local IP pools.

  

Here is the problem, if I VPN and connect to ASA-1, I will recieve an IP address and be allowed to connect to the network fine. If I disconnect and then reconnect on ASA-2, I can recieve the same IP address, however I cannot go anywhere on the network.

Upon further investigation of our router (which is the 1st internal hop for both ASA's), it was discovered that the ARP cache still had an IP address mapping ot the original ASA (ASA-1). The ARP cache never updated when I connected to ASA-2. If I get a netowrk admin to remove the ARP entry from the router, it automatically learns the correct ARP mapping to ASA-2.

I believe the answer would be to have the ASAs send out a gratuitous ARP (or a simple ARP reply) when a VPN client connects.

Can someone please help or assist.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents