arp: IP moved from Mac to vtnet1-mac on vtnet1

lmensinck

I see the following kernel message on a routed interface on my pfsense version 2.4.5-RELEASE-p1 (amd64)

arp: IP moved from "MAC of host with IP" to "MAC of vtnet1" on vtnet1

My host is no longer reachabe an then

About a 2 minutes later the mac is moved back:

arp: IP moved from "MAC of vtnet1" to "MAC of host with IP" on vtnet1

We do have a cisco ASA in from to vtnet1 which is routing IP to the pfsense using static routes.

I already searched the forum and found some hints about Apple and also cisco proxy-arp on nat.
But I could not find any hints for this.

I see this mac move about once a day.

Thanks for any hint to locate the problem.

stephenw10

Actually using the MAC of one of the interfaces in pfSense is not any of the usual causes for that.

Do you have any VIPs on that interface?

Is that host connected via vtnet1?

Steve

lmensinck

@stephenw10 Hey Steve,

Thanks for your answer.

No, we do not have any VIPs define on that box.
The host is connected to vtnet1

arp: 10.1.0.50 moved from 00:5d:73:1e:58:98 to ea:b5:54:89:1c:9c on vtnet1
arp: 10.1.0.50 moved from ea:b5:54:89:1c:9c to 00:5d:73:1e:58:98 on vtnet1

Ah and thanks for your hint:

I was false, the mac is not the interface itself but the cisco asa interface.
So i think I know where to search. Prox-arp on cisco

This is what the routing is like.

Default 10.1.0.50 (ea:b5:54:89:1c:9c ) -> 10.1.0.1 Cisco ASA routed 10.1.0.1 (00:5d:73:1e:58:98)

But on 10.1.0.50 we do have a route for 10.1.25.0/24 via 10.1.0.2 which is vtnet1 on the pfsense.

So the package from 10.1.0.50 should arrive on the pfsense via vtnet1 and should not pass the ASA. So it should be the proxy-arp on cisco which reply for arp query.

There is a NAT rule on the ASA pointing to 10.1.25.2 on which i will disable proxy arp now for testing. This should resolve the problem and proxy-arp is not deeded since I use different networks on each segment.

Thanks for your advise.