Strange outside ARP entry in ASA5505

Does the ARP entry actually say "some location"?  As you know, ARP should be just an interface, IP address and MAC address.  Can you post what you actually see in the "show arp" output when this happens?

Unless the ARP entry is overwriting the ARP request from the gateway IP (the Arp for the gateway is changing), I fail to see how an extra ARP entry in the table would kill the internet connectivity.    

When you have this 'issue' and an outbound connection is made, does the ASA's log show anything of interest?  

No, the ARP is simply the IP address and the MAC address (not "some location"), but I don't know where it comes from and neither does my ISP (according to them)....

I'm not at work right now but I'll post up the printout tomorrow.

I know that the "extra" outside ARP shouldn't do anything, however it does in my case. And since we have static routes to the ISP I simply cannot see what or where this entry comes from.....

I'll try to get some logs too, but I'll have to test that in the weekend since we have phone and e-mail via internet I cannot use the ASA until I know it works stable.

Thanks for the posts. However, for testing purposes I would like to disable automatic ARP learning, and simply set my static ARPs manually. Is this even possible when the ASA operates in routing mode?

So I'm back at work (I decided to try and sort this out as soon as possible). Below are the printout of the ARP cache table (note that I've removed all the inside ARPs):
outside 212.62.252.xxx       00a0.ba05.22b7 1510
outside 80.64.205.yyy       0005.5faf.f419 7496

The "upper" entry is correct, and is the interface of the ISP gateway. The "lower" entry is the strange one, I surely don't know where it comes from.

When this problem occurs, I also receive a "TTL Expired in transit" when I try to ping my outside interface from a public IP (connecting my phone to the internet, and trying to ping my ASA from the outside). The ping works as normal before the strange ARP comes into the picture.

Further on, I've talked to my ISP again and they claim that I am doing something wrong with my setup. According to them I'm running some kind of discovery protocol which receives the strange ARP entry (I don't follow my ISP on this one). In addition they say that I cannot run any kind of VLAN confguration on my outside interface, but I don't know how to disable VLAN on the ASA... Is it even possible?

I haven't got any log files yet, since I don't have the ASA up and running at this point, but do you need any special logs?? Please advice, and thanks again!

When looking at the vendor id's I see the upper one is from patton electronics co (?) And the second is from Cisco. Don't know if that rings any bells.....

Hi,

Both networks belong to DG-NETWORK.

route:        212.62.224.0/19
descr:        DG-NETWORK
origin:       AS13069

route:        80.64.192.0/20
descr:        DG-NETWORK
origin:       AS13069

Have you asked your service provider about the identy of 80.64.205.yyy?

Hi,

Both networks belong to DG-NETWORK.

route:        212.62.224.0/19
descr:        DG-NETWORK
origin:       AS13069

route:        80.64.192.0/20
descr:        DG-NETWORK
origin:       AS13069

Have you asked your service provider about the identity of 80.64.205.yyy?

The outside interface typically would not be vlan'd.    If you post a sanitized config we can double check.    Also, what version of code are you running on the ASA....  we can check for open issues....

Hi all, thanks for helping me solving this problem!!

First of all; I have tried communicating with my service provider, but they claim it's me doing something wrong. They accept that the 80.64.205.yyy comes from one of their boxes, but they do not understand why I get this entry in my ARP cache. I find it kind of strange that they don't have any more information about this issue, and simply says it's all my fault.... The only thing I find strange (and may agree with my service provider) is that the old firewall (not an ASA) do not get this strange ARP entry. This would indicate that I'm doing something wrong with my ASA....

Please see my config below, note that this printout is from my office desk, and hence not currently connected to the internet (since I cannot connect this unstable solution as long as there's people on work). If I need to post the config when the firewall is connected I will have to do that in the weekend.

I run the newest ASA version.

ASA Version 8.4(2)
!
hostname ASA5505-2
domain-name hallingplast.local
enable
passwd
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 switchport access vlan 12
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address xxx
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx
!
interface Vlan12
 no forward interface Vlan1
 nameif inside-guest
 security-level 10
 ip address xxx
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name hallingplast.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside-factory-network
 subnet xxx
object network inside-vpn-network
 subnet xxx
access-list NONAT extended permit ip xxx object inside-vpn-network
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside-guest 1500
ip local pool inside-vpn-pool xxx mask xxx
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static inside-vpn-network inside-vpn-network no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HpTacacs+ protocol tacacs+
aaa-server HpTacacs+ (inside) host xxx
 key *****
aaa-server HpTacacs+ (inside) host xxx
 key *****
no user-identity enable
user-identity default-domain LOCAL
aaa authentication enable console HpTacacs+ LOCAL
aaa authentication http console HpTacacs+ LOCAL
aaa authentication serial console HpTacacs+ LOCAL
aaa authentication ssh console HpTacacs+ LOCAL
aaa authentication telnet console HpTacacs+ LOCAL
aaa accounting enable console HpTacacs+
aaa accounting serial console HpTacacs+
aaa accounting ssh console HpTacacs+
aaa accounting telnet console HpTacacs+
aaa accounting command privilege 2 HpTacacs+
aaa authorization exec authentication-server
http server enable
http xxx 255.255.255.0 inside
http xxx 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ASA5505-1
 proxy-ldc-issuer
 crl configure
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh timeout 5
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx source inside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-dart-win-2.5.3054-k9.pkg 1 regex "Windows NT"
 anyconnect enable
 tunnel-group-list enable
 keepout "No service"
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy_HpAnyConnectVpn internal
group-policy GroupPolicy_HpAnyConnectVpn attributes
 wins-server value xxx
 dns-server value xxx
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NONAT
 default-domain value hallingplast.local
username xxx password xxx encrypted privilege 15
tunnel-group HpAnyConnectVpn type remote-access
tunnel-group HpAnyConnectVpn general-attributes
 address-pool inside-vpn-pool
 authentication-server-group HpTacacs+
 default-group-policy GroupPolicy_HpAnyConnectVpn
tunnel-group HpAnyConnectVpn webvpn-attributes
 group-alias HpAnyConnectVpn enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6fc9f8b0e596e6814e82d8a0135d251b

Select allOpen in new window

Are there any routing table changes?

Just a hunch, but are you running proxy arp at all?    You can disable it explicitly to see if you have improvement.

You can disable it with  "sysopt noproxyarp outside"

View it with:
    ciscoasa#show running-config sysopt
    no sysopt connection timewait
    sysopt connection tcpmss 1380
    sysopt connection tcpmss minimum 0
    no sysopt nodnsalias inbound
    no sysopt nodnsalias outbound
    no sysopt radius ignore-secret
    sysopt noproxyarp outside
    sysopt connection permit-vpn

Hi all,

Sorry for my late response! I was called to work outside my office and without internet connection yesterday.

Yes, I've tried both options (both with and without) proxy ARP.

I discovered another strange issue when monitoring my old firewall (which works today). I don't know how to explain this but I'll give it a shot:
I discovered that my static outside gateway, during one work day, changed it's MAC address three times. First from A, to B, and then back to A again during the day. An note that the IP address was unchanged!!!!!!!! Then I started investigating this issue and actually found that these two MAC addresses corresponds with the two MAC addresses explained above but with different IP's.

Basically with old firewall: MAC A = IP A, MAC B = IP A
New firewall: MAC A = IP A, MAC B = IP B

At this point I'm starting to get pretty confident that my service provider is causing the problems so I called them with my "angry-voice" and tried to explain the above statements. They said that they would investigate this issue and get back to me today. I will return with more information as soon as I have it.

Thanks all for the effort helping me solve this issue!

That is weird, no doubt.    Is this an on-premise gateway?  I assume that the gateway is managed by the ISP correct?  

So, a small update: Together with my service provider we have pin-pointed the problem to the Patton box which is a phone->internet phone converter. Basically we run a phone-server on the inside which connects to the Patton box. The problem has something to do with the Patton box so I will call our phone service provider Monday morning.

Thanks again for all the efforts. I will return with more info asap.

Never mind. The issue has been resolved and you've learned from it. That's why we're all here, aren't we :)

Nice...    (Where's my rolling eyes emoticon?)  


Glad its working.  

@MikeKane: LOL, let's put in a request for that :)

@erniebeek & MikeKane: Thanks guys :-)

You're welcome. The pleasure was all mine (ours :)

Figured out the problem: Phone company cabling