Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
0
Helpful
3
Replies

Ip arp gratuitous request problems.

nmelepat1
Level 1
Level 1

‎10-18-2015 10:50 PM - edited ‎03-11-2019 11:45 PM

Hello 

We are in the process of migrating our datacenter switches to nexus family.  After swapping the old network devices with new nexus switch, the ASA FW seems to show below messages in the log, 

 

%ASA-4-405001: Received ARP request collision from IPADDR/MACADDR on interface <Interface Name> with existing ARP entry IPADDR/MACADDR 

I'm just wondering why the nexus switch is not able to send a "IP arp gratuitous request" to update the ASA arp table as it is by default enabled on all switch interfaces ( including SVIs). 

Does "ip arp gratuitous update" will help ? 

 

Thanks in advance for response, 

Nishant 

 

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Rishabh Seth
Level 7
Level 7

‎10-19-2015 12:43 AM

Hi Nishant,

 

The syslog message that you are seeing is generated by ASA whenever it sees an ARP packet with a MAC address present in its ARP cache.

This syslog message helps in figuring out if there is any arp spoof attack happening in the network.

In your case this may be generated due to legitimate traffic as you have changed the hardware in the network. 

It it possible that the ASA still has stale ARP cache pointing to old hardware address. You can confirm this by checking " show arp " output and verify if there is any stale entry.

To clear arp cache you can use clear arp <interface> <ip>

 

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

 

0 Helpful

nmelepat1
Level 1
Level 1
In response to Rishabh Seth

‎10-19-2015 10:16 PM

Hi Rishab, 

Thanks for your response. 

Yea we had the stale entry. And our FW admin said, because of this reason, the new cisco device is not able to send any traffic and it was suggested to clear the arp cache. 

Do we have to do this activity whenever there is a change in the hardware? Why cant the "Ip arp gratuitous request"  automatically update the arp table on FW with new device mac? Is it the nature of ASA by default? 

Regards 

Nishant 

 

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to nmelepat1

‎10-20-2015 12:12 AM

Hi Nishant,

 

The behaviour that you see on ASA is the way it counter the arp poising attack, where an attacker can spoof the arp packet with wrong IP/MAC  information in the arp packet.

 

So if you change the hardware the in your network, the stale entries will timeout and then new entries will populate the arp cache of the firewall. I would suggest you to clear the arp cache only for the IP address which has new hardware.

 


Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card