First of all I am sorry for my english mistakes. Help me please to solve the problem with ARP request collision incidents.
I have IBM BladeCenter E chasis with blade servers are installed in this chassis. At the rear side of chassis there are two Cisco Catalyst Switch Module 3012 for IBM BladeCenter switches. Each blade server is equipped with two Broadcom NICs BCM5709S NetXtreme II. One NIC is connected on backplane of chassis with one switch, another NIC is connected with second switch. The switches are connected to core Cisco Catalyst 6509 switches. Also we have a firewall Cisco ASA 5520 with OS version of 8.0.4. This ASA firewall is also connected to the core with one interface. This ASA's interface is in one network with blade servers. So Cisco ASA separates servers network segment from other segments.
The two server NICs are united in Smart Load Balancing & Failover teaming. Hello colleagues! First of all I am sorry for my english mistakes. Help me please to solve the problem with ARP request collision incidents.
We have IBM BladeCenter E chasis with blade servers are installed in this chassis. At the rear side of chassis there are two Cisco Catalyst Switch Module 3012 for IBM BladeCenter switches. Each blade server is equipped with two Broadcom NICs BCM5709S NetXtreme II. In the backplane one NIC is connected to one switch, another NIC is connected to second switch. The switches are connected to core Cisco Catalyst 6509 switches. Also we have a firewall Cisco ASA 5520 with OS version of 8.0.4. This ASA firewall is also connected to the core with one interface. This ASA's interface is in one network with blade servers. So Cisco ASA separates servers network segment from other segments.
The goal is to provide resilency. That's why we use both NICs at the same time in teaming configuration. The teaming parameters are:
Type – Smart Load Balancing and Failover Enable LiveLink – NO Team Offload Capabilities – LSO, CO
BACS 3 v.11.6.10.0 Driver version bxnd52x.sys 5.0.13.0
Because of backplane physical topology two blade NICs are connected to two separated Cisco switches so you cannot use LAG or Generic Trunking modes of the teaming. And because of the fixed configuration of the backplane you cannot change this physical topology inside the chassis. The only way is to use SLB but it leads us to problem with ASA which receives packets from one IP address but with different MACs and considers that as spoofing attack. It constantly registers ARP request collision events.
ASA-4-405001: Received ARP request collision from 10.0.0.10/aaaa.bbbb.cccc on interface inside
I would ask you to advice what to do in this situation? Is it any way to configure teaming only for failover (like NFT mode on Intel NICs) and disable SLB property? What does ASA do when encounters mentioned events: does it really drop packets or simply inform me about weirds in the network? Can I disable this event on ASA? Maybe there is a way to staticaly configure ASA's with two MACs so it wouldn't consider an attack?
Thank you!
