Search This Blog

Wednesday, 27 February 2013

IP address conflict with a Cisco ASA and ARP

We had an interesting issue today, a client has a Cisco 5510 ASA and a Cisco 3560 switch. A Windows Server would not show the right IP address with an ipconfig, we always got a 169.x.x.x address and if we disabled the NIC and enabled the IP address conflict dialog window was displayed.

Now we know no other device had this IP address as the server VLAN was statically assigned, we used the command show arp on the 3560 and found the mac address for the IP address we had the conflict on.

This mac address was also listed against several other IP addresses in the server subnet so we decided to find out what device had this mac address.

Using show mac address on the 3560 we saw that the mac was on port Gi0/21.  This switchport was connected to our Cisco ASA.  So what had happened was that we had an IPSEC tunnel on the ASA that had the same subnet as our servers at the other end, this resulted in the ASA claiming ARP for that subnet so that it could manage the NAT for the traffic to cross the tunnel.

You can remove this issue by disabling Proxy ARP on the ASA.  This is done with the sysopt noproxyarp interface

More on this can be read here from Cisco.

No comments:

Post a Comment