«

OK, I have a very strange problem that I will attempt to outline.
Here is the situation:

I have a DHCP server that exist on about 10 inside VLANs. It is
trunked into all VLANs that it services with different scopes assigned
for each VLAN.

What is happening is everyday a few users (there is no pattern) will
complain of not being able to get to internet or email. They can ping
everything on their VLAN and even things on other internal VLANs. The
problem is getting across the ASA (it is a 5540). The Exchange server
sits in the DMZ and obviously the internet is on the outside.

To fix this I was originally finding out what address was assigned to
the node, excluding it from the scope, and having the node pull a new
address. This worked but I do not want to have to keep doing this. I
then began thinking that this was an ARP problem and I have twice so
far gone in and done a "clear arp" on the ASA when I have users with
this problem and this fixes the problem too...

Any ideas on this one?

> I then began thinking that this was an ARP problem and I have twice so
> far gone in and done a "clear arp" on the ASA when I have users with
> this problem and this fixes the problem too...
>

When you are experiencing the problem, before clearing the ARP cache
on the ASA, check to see the ARP entry for the client machine (the one
with the problem) matches the actual MAC.
If it matches, check the ARP entry for the next-hop router.
If that matches as well, you are not looking at an ARP poisoning
problem.
If they do not match, track down the offending MAC on the switched
network.

Also, do all of your VLANs use the ASA as a default gateway, or do you
have a router there. - It would help to know the topology of the
network in question.

Thanks
JC

On Jul 11, 12:50 pm, "J.Cottingim" <jcottin...@yahoo.com> wrote:
> > I then began thinking that this was an ARP problem and I have twice so
> > far gone in and done a "clear arp" on the ASA when I have users with
> > this problem and this fixes the problem too...
>
> When you are experiencing the problem, before clearing the ARP cache
> on the ASA, check to see the ARP entry for the client machine (the one
> with the problem) matches the actual MAC.
> If it matches, check the ARP entry for the next-hop router.
> If that matches as well, you are not looking at an ARP poisoning
> problem.
> If they do not match, track down the offending MAC on the switched
> network.
>
> Also, do all of your VLANs use the ASA as a default gateway, or do you
> have a router there. - It would help to know the topology of the
> network in question.
>
> Thanks
> JC

No, none of the VLAN use the ASA as the default gateway. They all use
a 4006 which has different IP addresses assigned to the different
VLANs. I will take a look at the ARP entry's the next time this
happens (most likely tomorrow) and see what is up...

Steven B wrote:
> On Jul 11, 12:50 pm, "J.Cottingim" <jcottin...@yahoo.com> wrote:
> > > I then began thinking that this was an ARP problem and I have twice so
> > > far gone in and done a "clear arp" on the ASA when I have users with
> > > this problem and this fixes the problem too...
> >
> > When you are experiencing the problem, before clearing the ARP cache
> > on the ASA, check to see the ARP entry for the client machine (the one
> > with the problem) matches the actual MAC.
> > If it matches, check the ARP entry for the next-hop router.
> > If that matches as well, you are not looking at an ARP poisoning
> > problem.
> > If they do not match, track down the offending MAC on the switched
> > network.
> >
> > Also, do all of your VLANs use the ASA as a default gateway, or do you
> > have a router there. - It would help to know the topology of the
> > network in question.
> >
> > Thanks
> > JC
>
> No, none of the VLAN use the ASA as the default gateway. They all use
> a 4006 which has different IP addresses assigned to the different
> VLANs. I will take a look at the ARP entry's the next time this
> happens (most likely tomorrow) and see what is up...

On the non-working clients, do the acquired DHCP details match the
details from the scope on the DHCP server? especially subnet mask?

Just wondering if you have a second DHCP service somewhere handing out
its own DHCP scopes.

Steven B wrote:
> On Jul 11, 12:50 pm, "J.Cottingim" <jcottin...@yahoo.com> wrote:
> > > I then began thinking that this was an ARP problem and I have twice so
> > > far gone in and done a "clear arp" on the ASA when I have users with
> > > this problem and this fixes the problem too...
> >
> > When you are experiencing the problem, before clearing the ARP cache
> > on the ASA, check to see the ARP entry for the client machine (the one
> > with the problem) matches the actual MAC.
> > If it matches, check the ARP entry for the next-hop router.
> > If that matches as well, you are not looking at an ARP poisoning
> > problem.
> > If they do not match, track down the offending MAC on the switched
> > network.
> >
> > Also, do all of your VLANs use the ASA as a default gateway, or do you
> > have a router there. - It would help to know the topology of the
> > network in question.
> >
> > Thanks
> > JC
>
> No, none of the VLAN use the ASA as the default gateway. They all use
> a 4006 which has different IP addresses assigned to the different
> VLANs. I will take a look at the ARP entry's the next time this
> happens (most likely tomorrow) and see what is up...

On the non-working clients, do the acquired DHCP details match the
details from the scope on the DHCP server? especially subnet mask?

Just wondering if you have a second DHCP service somewhere handing out
its own DHCP scopes.

On Jul 15, 10:03 pm, Arthur Brain <arthur_bra...@yahoo.co.uk> wrote:
> Steven B wrote:
> > On Jul 11, 12:50 pm, "J.Cottingim" <jcottin...@yahoo.com> wrote:
> > > > I then began thinking that this was an ARP problem and I have twice so
> > > > far gone in and done a "clear arp" on the ASA when I have users with
> > > > this problem and this fixes the problem too...
>
> > > When you are experiencing the problem, before clearing the ARP cache
> > > on the ASA, check to see the ARP entry for the client machine (the one
> > > with the problem) matches the actual MAC.
> > > If it matches, check the ARP entry for the next-hop router.
> > > If that matches as well, you are not looking at an ARP poisoning
> > > problem.
> > > If they do not match, track down the offending MAC on the switched
> > > network.
>
> > > Also, do all of your VLANs use the ASA as a default gateway, or do you
> > > have a router there. - It would help to know the topology of the
> > > network in question.
>
> > > Thanks
> > > JC
>
> > No, none of the VLAN use the ASA as the default gateway. They all use
> > a 4006 which has different IP addresses assigned to the different
> > VLANs. I will take a look at the ARP entry's the next time this
> > happens (most likely tomorrow) and see what is up...
>
> On the non-working clients, do the acquired DHCP details match the
> details from the scope on the DHCP server? especially subnet mask?
>
> Just wondering if you have a second DHCP service somewhere handing out
> its own DHCP scopes.- Hide quoted text -
>
> - Show quoted text -

No, the only DHCP server is the one trunked into all of the VLANs.
When I do an ipconf/release ipconfig/renew it pulls the same address
(which is not unusual) with all the correct information. If I exclude
the address from the scope and have the machine pull a new one it does
and this generally fixes the problem...