Cisco Cisco ASA 5510 Adaptive Security Appliance Guía Para Resolver Problemas
Because ARP table space is a memory bound resource, an excessive number of entries can negatively
impact the router's performance and stabilty.
impact the router's performance and stabilty.
•
Therefore, the best practice is to configure all routes with explicit IP next hop addresses and not use routes
that have an interface name by itself to identify the outgoing interface. If the interface is needed to tie the
route to the egress interface for failover, enter both the egress interface name and the next hop in the static
route.
that have an interface name by itself to identify the outgoing interface. If the interface is needed to tie the
route to the egress interface for failover, enter both the egress interface name and the next hop in the static
route.
Given the administrative implications for some Cisco customers, an Enhancement Request has been opened in
order to make the new secure behavior configurable: Cisco bug ID CSCty95468 (registered customers only)
(ENH: Add Command to Allow ARP Cache Entries from Non−Connected Subnets).
order to make the new secure behavior configurable: Cisco bug ID CSCty95468 (registered customers only)
(ENH: Add Command to Allow ARP Cache Entries from Non−Connected Subnets).
Mismatched IP subnet masks on adjacent devices
Mismatched IP subnet masks configured on the ASA's interface and the adjacent device's interface can cause
a similar situation. If the adjacent device had a subnet mask that was a supernet (255.255.240.0) of the ASA's
interface IP subnet mask (255.255.255.0), the adjacent device will ARP for IP addresses that are not in the
ASAs interface IP subnet. Ensure that the subnet masks are correct.
a similar situation. If the adjacent device had a subnet mask that was a supernet (255.255.240.0) of the ASA's
interface IP subnet mask (255.255.255.0), the adjacent device will ARP for IP addresses that are not in the
ASAs interface IP subnet. Ensure that the subnet masks are correct.
Transparent Mode Implications
Another side effect of this change is the inability to learn MAC addresses from non−directly−connected
subnets in Transparent mode. This affects communication in these scenarios:
subnets in Transparent mode. This affects communication in these scenarios:
The transparent ASA does not have a management IP address configured or the configuration is
incorrect.
incorrect.
•
The transparent ASA is using secondary subnets on the same segment.
•
There is no workaround for this issue in Transparent mode other than the downgrade. However, this
Enhancement Request has been opened in order to make ASA interoperate with secondary subnets in
Transparent mode: Cisco bug ID CSCty49855 (registered customers only) (ENH: Support Non Directly
Connected Hosts in MAC Discovery Mechanism).
Enhancement Request has been opened in order to make ASA interoperate with secondary subnets in
Transparent mode: Cisco bug ID CSCty49855 (registered customers only) (ENH: Support Non Directly
Connected Hosts in MAC Discovery Mechanism).
Resolution
The solution to this problem (in the case that the IP address in question is not in the same layer−3 subnet as
the ASA's interface IP) is to make the changes necessary to ensure that devices adjacent to the ASA route
traffic directly to the ASA's interface IP address as the next hop device, instead of relying on a device to
proxy−ARP on behalf of the IP address.
the ASA's interface IP) is to make the changes necessary to ensure that devices adjacent to the ASA route
traffic directly to the ASA's interface IP address as the next hop device, instead of relying on a device to
proxy−ARP on behalf of the IP address.
Related Information
Technical Support & Documentation − Cisco Systems
•
Contacts & Feedback | Help | Site Map
© 2014 − 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
© 2014 − 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Jul 02, 2012
Document ID: 113577