Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Seeing large quantities of arp requests on outside interface of ASA

Seeing lots of arp requests on the outside interface

potintially relivant info:

the ASA is in a /30 network.

arp requests (condensed) on outside interface (sorted by ip  address and duplicates deleted):

10.160.184.1

0014.f1ea.82d9

for

10.160.184.81

0000.0000.0000

10.31.112.1

0014.f1ea.82d9

for

10.31.115.225

0000.0000.0000

24.175.192.1

0014.f1ea.82d9

for

24.175.194.77

0000.0000.0000

24.92.104.1

0014.f1ea.82d9

for

24.92.106.219

0000.0000.0000

67.10.208.1

0014.f1ea.82d9

for

67.10.222.117

0000.0000.0000

69.91.124.1

0014.f1ea.82d9

for

69.91.124.100

0000.0000.0000

71.40.38.1

0014.f1ea.82d9

for

71.40.38.78

0000.0000.0000

ALL of them come from the same mac address

And from my home network (completely differnt ISP) all (except the 10.x.x.x’s of  course) trace route the preceding hop to

tge9-4.elpstx2-er02.texas.rr.com [24.175.60.159] (most)  or

tge9-1.elpstx2-er02.texas.rr.com [24.175.60.83] (1)

What the heck is going on here?

they say nothing is wrong, my guess is something is mis-configured on one (or more) of their routers.

Raw Debug arp from El Paso Citadel:

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.222.117 0000.0000.0000

arp-in: request at outside from 24.92.104.1 0014.f1ea.82d9  for 24.92.106.219 0000.0000.0000

arp-in: request at outside from 24.175.192.1 0014.f1ea.82d9  for 24.175.194.77 0000.0000.0000

arp-in: request at outside from 24.175.192.1 0014.f1ea.82d9  for 24.175.195.77 0000.0000.0000

arp-in: request at outside from 24.175.192.1 0014.f1ea.82d9  for 24.175.195.129 0000.0000.0000

arp-in: request at outside from 24.92.104.1 0014.f1ea.82d9  for 24.92.106.241 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.221.118 0000.0000.0000

arp-in: request at outside from 24.175.192.1 0014.f1ea.82d9  for 24.175.192.116 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.209.231 0000.0000.0000

arp-in: request at outside from 69.91.124.1 0014.f1ea.82d9  for 69.91.124.100 0000.0000.0000

arp-in: request at outside from 24.175.192.1 0014.f1ea.82d9  for 24.175.194.146 0000.0000.0000

arp-in: request at outside from 24.92.104.1 0014.f1ea.82d9  for 24.92.111.49 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.214.78 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.218.77 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.219.77 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.220.77 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.221.77 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.222.77 0000.0000.0000

arp-in: request at outside from 24.175.192.1 0014.f1ea.82d9  for 24.175.192.102 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.212.97 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.218.0 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.219.157 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.217.112 0000.0000.0000

arp-in: request at outside from 69.91.124.1 0014.f1ea.82d9  for 69.91.124.235 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.222.95 0000.0000.0000

arp-in: request at outside from 69.91.124.1 0014.f1ea.82d9  for 69.91.124.167 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.220.35 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.220.26 0000.0000.0000

arp-in: request at outside from 24.92.104.1 0014.f1ea.82d9  for 24.92.106.219 0000.0000.0000

arp-in: request at outside from 24.175.192.1 0014.f1ea.82d9  for 24.175.193.91 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.221.118 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.216.66 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.216.235 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.212.12 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.216.45 0000.0000.0000

arp-in: request at outside from 69.91.124.1 0014.f1ea.82d9  for 69.91.124.175 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.217.112 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.213.102 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.212.97 0000.0000.0000

arp-in: request at outside from 24.92.104.1 0014.f1ea.82d9  for 24.92.105.119 0000.0000.0000

arp-in: request at outside from 24.92.104.1 0014.f1ea.82d9  for 24.92.106.219 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.218.77 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.220.55 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.222.159 0000.0000.0000

arp-in: request at outside from 71.40.38.1 0014.f1ea.82d9 for  71.40.38.78 0000.0000.0000

arp-in: request at outside from 67.10.208.1 0014.f1ea.82d9  for 67.10.216.133 0000.0000.0000

arp-in: request at outside from 69.91.124.1 0014.f1ea.82d9  for 69.91.124.180 0000.0000.0000

arp-in: request at outside from 24.175.192.1 0014.f1ea.82d9  for 24.175.193.91 0000.0000.0000

4 REPLIES
Cisco Employee

Seeing large quantities of arp requests on outside interface of

Hi Mitch,

The ASA outside interface seems to be connected to a cable modem. The cable interface is shared by multiple end users (not necessarily on the same subnet) and this is probably the reason why you are seeing all of these ARP messages. The MAC address 0014.f1ea.82d9 is probably owned by the cable modem termination system (CMTS), which is the aggregation router in a cable system operator network. This would also be the same MAC address assigned to your default gateway.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: Seeing large quantities of arp requests on outside interface

Harold,

Yes it is from a cable internet provider, but, show arp has a differnt mac address for the default gateway (7cbf.b1fe.abba)

...oh and the one doing the arp requests is a cisco device according to the mac ou.

And why is it I am only seeing this at this site? (I have 65+ sites on various cable internet providers and while I just did spot checking I haven't found this anywhere else)

Thanks for the help...

Cisco Employee

Re: Seeing large quantities of arp requests on outside interface

Hi Mitch,

The reason, you would not see that at other sites, could be that the cable modem is configured as a L3 device at those sites, hence teh ASA not showing all arp activities from the cable interface. If it is configured in bridge mode at this specific site, it would explain why the ASA is seeing all of the cable interface activity.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Hall of Fame Super Gold

Seeing large quantities of arp requests on outside interface of

Wrong forum, post in "Security - firewaling". You can move your posting with the Actions panel on the right.

181
Views
0
Helpful
4
Replies
CreatePlease to create content