Solved: 'arping' equivalent available on ASA?

jack · ‎11-16-2010

Hello,

I was wondering if there's an equivalent feature on the ASA to the Linux command 'arping.'

My ISP has a gateway in the building whose ARP cache refresh periods are set to some ridiculously long interval. It's always a huge production to reassign one of our outside NAT rules to another box.

If there's simply a way to broadcast a who-has ARP packet from the ASA (5510) manually, it'd potentially make life a whole lot easier. Is that functionality available?

Thanks!

Jack

Jon Marshall · ‎11-17-2010

paluchpeter wrote:

Hello Jack,

I do not believe that any similar tool exists either on ASA OS or on IOS. That being said, what are you exactly trying to accomplish by emitting ARP queries?

Please note that even a ping to an IP address performed from an ASA box will first cause the ASA to look up the appropriate MAC address in the ARP table (either using the IP address itself if it is on a directly connected network, or using the IP address of an appropriate next-hop), and if that is not found, the ASA will query for it itself. You could therefore emulate the behavior of the arping utility simply by clearing the ARP cache using the command clear arp and possibly pinging the necessary IP address afterwards.

Would this solve your issue?

Best regards,

Peter

I think the issue is the ISP router. It arps out for an address that the ASA is doing NAT for and the ASA responds with the IP address. The ISP router then records this in it's arp table. If the NAT translation is then moved to another ASA device the ISP router still thinks it is on the first ASA because it is keeping the arp entry in it's table for a long time.

Jack

If the above is correct, the ASA doesn't have this functionality as far as i know. The only thing you can do is co-ordinate with your ISP (which i know can be a pain) when you move a NAT address or ask them to simply reduce the arp cache timer.

One question though. How often do you need to reassign the NAT to another box and why do you need to do this ?

Jon

View solution in original post

Peter Paluch · ‎11-17-2010

Hello Jack,

I do not believe that any similar tool exists either on ASA OS or on IOS. That being said, what are you exactly trying to accomplish by emitting ARP queries?

Please note that even a ping to an IP address performed from an ASA box will first cause the ASA to look up the appropriate MAC address in the ARP table (either using the IP address itself if it is on a directly connected network, or using the IP address of an appropriate next-hop), and if that is not found, the ASA will query for it itself. You could therefore emulate the behavior of the arping utility simply by clearing the ARP cache using the command clear arp and possibly pinging the necessary IP address afterwards.

Would this solve your issue?

Best regards,

Peter

Jon Marshall · ‎11-17-2010

paluchpeter wrote:

Hello Jack,

I do not believe that any similar tool exists either on ASA OS or on IOS. That being said, what are you exactly trying to accomplish by emitting ARP queries?

Please note that even a ping to an IP address performed from an ASA box will first cause the ASA to look up the appropriate MAC address in the ARP table (either using the IP address itself if it is on a directly connected network, or using the IP address of an appropriate next-hop), and if that is not found, the ASA will query for it itself. You could therefore emulate the behavior of the arping utility simply by clearing the ARP cache using the command clear arp and possibly pinging the necessary IP address afterwards.

Would this solve your issue?

Best regards,

Peter

I think the issue is the ISP router. It arps out for an address that the ASA is doing NAT for and the ASA responds with the IP address. The ISP router then records this in it's arp table. If the NAT translation is then moved to another ASA device the ISP router still thinks it is on the first ASA because it is keeping the arp entry in it's table for a long time.

Jack

If the above is correct, the ASA doesn't have this functionality as far as i know. The only thing you can do is co-ordinate with your ISP (which i know can be a pain) when you move a NAT address or ask them to simply reduce the arp cache timer.

One question though. How often do you need to reassign the NAT to another box and why do you need to do this ?

Jon

Peter Paluch · ‎11-17-2010

Jon,

Thank you for correcting my view on this.

I think the issue is the ISP router. It arps out for an address that the ASA is doing NAT for and the ASA responds with the IP address. The ISP router then records this in it's arp table. If the NAT translation is then moved to another ASA device the ISP router still thinks it is on the first ASA because it is keeping the arp entry in it's table for a long time.

If that is the case, and it certainly sounds logical, then sending ARP queries as Jack originally sought for would not solve the issue at all. Rather, sending gratuitous ARP replies would do the trick. Perhaps using the clear arp or clear xlate forces the ASA to renew is proxy-ARP entries made for NAT purposes, and resend the gratuitous ARPs. Unfortunately, I do not have an ASA box handy right now to test this assumption.

Best regards,

Peter