Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA 5510

Posted on 2010-09-17
15
Medium Priority
?
1,758 Views
Last Modified: 2012-05-10
receiving a lot of collions errors on the Asa 5510 Was wondering if any one had a clue as to how to clear them up or what could be causing them. because of it the router is dropping packets because we losing connects for 3-10 seconds at a time.
below is the error

%ASA-4-405001: Received ARP response collision from 10.2.1.1/b8ac.6f7e.bdef on i
nterface inside
%ASA-4-405001: Received ARP response collision from 10.2.1.1/b8ac.6f7d.f7d4 on i
nterface inside
%ASA-4-405001: Received ARP response collision from 10.2.1.1/b8ac.6f7e.bdef on i
nterface inside
%ASA-4-405001: Received ARP response collision from 10.2.1.1/b8ac.6f7d.f7d4 on i
nterface inside
<--- More --->
0
Comment
Question by:bmic
15 Comments
 
LVL 2

Expert Comment

by:joseleonardo
ID: 33706796
Cisco says;


405001
Error Message %PIX|ASA-4-405001: Received ARP {request | response} collision from
IP_address/MAC_address on interface interface_name

Explanation The security appliance received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.

Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.



please refer Cisco system log messages:

http://www.cisco.com/univercd/cc/td/doc/pr...s.htm#wp1282234
0
 
LVL 3

Expert Comment

by:saL1Las
ID: 33706802
Do a show interfaces and look at the status of the link.

This looks like a duplex mismatch between the interface you named "inside" and the other device to which you connected - a switch maybe?

Typically happens due to bad cabling or misconfigured ports (e.g. not autoneg)
0
 

Author Comment

by:bmic
ID: 33706815
Thanks i will check into these option and get back to you....
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 3

Expert Comment

by:gorhon
ID: 33707416
Please check, if you use other fw on the same network, and same nat cisco and other fw.
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33709203
Is 10.2.1.1 the IP of a PC, router, switch or inside IP of the ASA?  Looking at the MACs, it looks like 2 Dell machines are assigned with 10.2.1.1.

10.2.1.1/b8ac.6f7e.bdef
10.2.1.1/b8ac.6f7d.f7d4

http://www.coffer.com/mac_find/?string=b8ac.6f7e.bdef
0
 

Author Comment

by:bmic
ID: 33709663
10.2.1.1 is the inside ip address of the asa
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33709717
That would explain the loss of connectivity.  Unless you're being attacked internally, look for at least 2 misconfigured Dell PCs or network devices with the MAC addresses indicated in the log.
0
 

Author Comment

by:bmic
ID: 33712721
the two mac address belong to the voice mail server and the ixport server that work with the phone system. and they are configured to be on the same network.
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33712781
But did you check the IP addresses that they're configured with?  If you don't have admin rights on them, then can you temporarily disconnect them?  Alternatively, you can try changing the ASA's inside IP, but that may involve more work depending on what's providing DHCP and how many devices you have on the network that have statically assigned IPs.  Something(s) are fighting with your ASA for 10.2.1.1 and when the ASA loses, your users lose internet connectivity.
0
 

Author Comment

by:bmic
ID: 33712894
yes i understand and i have remoted to each of the machines and check the ip address config, disable the additional nic cards and turned off ipv6 and still the same error pops up in the router log. i did an Arp -a on the servers and according to the output info from the arp -a request the 10.2.10.6 and 7 are associated with the two Mac addresses. And those are the two servers that i checked for correct setting.
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33713026
Then your next step might be to physically disconnect the 2 servers temporarily and see if the ARP collisions continue to occur.  If so, then you've got something else on the network spoofing those MAC addresses.
0
 

Author Comment

by:bmic
ID: 33713057
ok but can't do that until tomorrow out of town for the weekend. So i will give that a try tomorrow and get back to you thanks......
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 33713981
It means that the ASA sees that the same MAC address responds to multiple ARP replies. This is normal when you have a host that has multiple IP addresses on the same ethernet card.

0
 

Author Comment

by:bmic
ID: 33714140
The MAC address are different one is 7d and the other is 7e. There is only one nic per server enabled and the other nic are disabled. Also the ipv6 is disable on the in use nic.
0
 

Accepted Solution

by:
bmic earned 0 total points
ID: 33771637
thank for all the help but I got the problem resolved. the problem was a couple of end users had there phone plugged into the wall twice thus creating a loop. We when through every room and after we corrected that the packet lost was resolved. Again thanks for all your help
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question