Cisco Bug: CSCuy28710 - ARP source IP sanity check against proxy-arp list
Apr 16, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
9.1(7) 9.2(1) 9.2(4.3) 9.3(1) 9.4(1) 9.4(2.104) 9.4(2.5) 9.6(1) 9.7(1) 9.8(1) 9.9(1)
Symptom: ASA rejects an ARP packet if the sender IP overlaps with a subnet/host for which ASA is configured to do proxy-arp. Conditions: By default, ASA does proxy-arp for all hosts which are part of a translated network in a static NAT rule. This defect may cause resolution failures if the a directly connected subnet of ASA overlaps with a network for which ASA is configured to proxy ARP. To identify this, the output of "show nat proxy-arp" can be leveraged. Example: ciscoasa(config)# sh nat proxy-arp Nat Proxy-arp Table id=0x6f0dfff8, ip/id=192.168.0.0, mask=255.255.0.0 ifc=outside config:(inside) to (outside) source static local local destination static remote remote ... If the directly connected subnet on outside interface overlaps with the network in an entry with ifc=outside, ARP resolution failures will occur.
Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases