Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Does the ASA issue a gratiutous ARP for connected VPN clients when using the group policy VLAN command?

I understand how to seperate VPN clients to specifc tunnel groups and to a specfic VLAN on the inside, but if I have multiple groups and VLAN's with overlapping routes that point to seperate FW's, can I avoid the use of internal facing routes (since there is only one routing table) and just let the ASA dump the traffic into the specified VLAN and let gratuitous ARP entries (via static NAT) on the FW, that is on the same VLAN, take it from there?  On the return path, does the ASA issue a gratuitous ARP on the specified VLAN when the VPN client connects and is assigned a DHCP IP?  I cannot find any clear documentation on this but it seems to make sense that this is what happens.

group-policy test2 attributes
  vlan ??  "Specify the VLAN onto which VPN traffic for this group will be forwarded."

  • VPN
Everyone's tags (5)
New Member

Does the ASA issue a gratiutous ARP for connected VPN clients wh

I am having a similiar issue as well.

I currently have two ASA's in a cluster to provide VPN connectivity. For simplicity lets call them ASA-1 and ASA-2. IP addresses are being assigned using local IP pools.


Here is the problem, if I VPN and connect to ASA-1, I will recieve an IP address and be allowed to connect to the network fine. If I disconnect and then reconnect on ASA-2, I can recieve the same IP address, however I cannot go anywhere on the network.

Upon further investigation of our router (which is the 1st internal hop for both ASA's), it was discovered that the ARP cache still had an IP address mapping ot the original ASA (ASA-1). The ARP cache never updated when I connected to ASA-2. If I get a netowrk admin to remove the ARP entry from the router, it automatically learns the correct ARP mapping to ASA-2.

I believe the answer would be to have the ASAs send out a gratuitous ARP (or a simple ARP reply) when a VPN client connects.

Can someone please help or assist.

This widget could not be displayed.