arp collision on Cisco ASA from Airport Extreme and AppleTV

Turn off the IPv6 in the AE. Under Internet options tab. Change it to link local only.

No idea if it will do anything but some strange stuff does happen with the AE.. I presume it is AC model??

From what I can gather from your networking description, you have employed a Cisco ASA firewall as your "main" router and have a Cisco switch directly connected to it ... and from there you have a DHCP server, two AirPort Extreme base stations, and pair of Apple TVs connected to that switch. Correct?

If so, I would suggest that you temporarily disconnect the base stations and the Apple TVs and only have the DHCP server connected to the switch. Do the ARP request collisions still occur in this configuration? If so, is the DHCP server dual-homed? If not, add one of the base stations. Does the collisions start back up?

I dug around a bit..

I wonder if it has something to do with bonjour..

See http://notthenetwork.blogspot.com.au/2009/04/bonjour-and-dynamic-arp-inspectiond ai.html

If you remove the Apple TV and use something else as clients.. something that doesn't have a bonjour sleep proxy in it.. does the arp issue still show up??

Sorry I am not at your level network wise.. but I can give you a very extensive look at the inside of the AE firmware and its settings. If that would be of help email me.. My email is open in the profile.

Thanks for the additional information. I'm wondering if the issue is not the AirPort base stations but the Apple TVs instead.

When running an Apple TV will provide, as a minimum, two services: Rendezvous (aka Bonjour) on 3689 & iPhone-Sync on 62078. In addition, if you enable AirPlay on the Apple TV, three more services will be enabled: UPnP (5000), AFS3-Server (7000), & Font-Service (7001).

What I'm not sure about is how any of these services would cause an ARP request from your ASA device to conflict. The base station in bridge mode, as you know, should just pass through these requests and not modify them.

Typically I would find these types of errors on networks with dual-homed servers or when down-stream routers are not configured properly to pass the ARP requests. Sorry, I couldn't be more helpful here.

They also don't support (as consumer support) "Bridge Mode".

I do think your network is a bit complex for domestic setup.. and Apple routers are now domestic units..

But to totally abrogate even being interested in bridge mode.. that is well slightly surprising.

Apple have been recommending people to use double NAT in situations where they either cannot use the airport as the main router or it simply doesn't function properly... as in my case PPPOE simply failed with my bridged modem.. any other router works fine.

But I use the apple router with DHCP not DHCP and NAT.. and found that works better.

See Re: airport time capsule keeps disconnecting

There are a number of issues with DNS as well.. which this seems to help.

I have a Cisco ASA 5505 and four Airports. My configuration is practically identical to Mickey's. I'm seeing the same ARP collisions in my logs. I'm convinced it's crappy Airport software / firmware. Settting the Airports to static IPs does NOT set the wireless card in the Airports to static and the Airport wireless cards are the MAC IDs that seem to be the culprits. I use the airports as a mesh network at home (which is a nice feature) and for Airplay, because I have several of them strategically placed next to speakers. I have several VoIP phones at home that keep getting kicked off the network because of IP collisions with the Airports.

Interestingly enough, setting the Airport to "join a wireless network" (in other words, to NOT share the wireless connection), doesn't change things.

For whatever reason, the Airports insist on requesting their old DHCP address FIRST, instead of checking with the DHCP server for availability. So, they just assume the address is still there for the taking. It really seems to me that the Airports just poop the bed if one of them isn't the DHCP server.

My frustration with this is that if Apple doesn't want you using another device as the DHCP server. They shouldn't put that feature in the software. It's broken for all intents and purpose.

Then why put Bridge mode in the settings? "Too Complex" is another way of saying not intended for use as... So again, DON'T PUT IT IN THE SOFTWARE. That way, I won't buy the product, set it up, have it work fine for a year, and then start to crap out when an update pukes.

Mickey,

Have you considered setting up a second VLAN on your ASA? I'm thinking about doing this. It seems a little more reasonable than an intentional double NAT, which creates a new set of problems to solve the original issue.