Customers have reported that, intermittently in a given subnetwork, Address Resolution Protocol (ARP) responses for the default gateway's IP address point to some specific wireless clients rather than to the router. This could lead to either client or network-wide connectivity problems for other devices on the same VLAN/subnetwork.
The incorrect ARP responses point to MAC addresses that belong to Apple macOS devices
New Android devices are associated to the same subnetwork
The access points to which the macOS devices are associated are AP-COS (1800/2800/3800/4800/1540/1560/9100 series), in FlexConnect Local Switching, or SDA, mode, not Cisco IOS® APs.
The access points have FlexConnect Proxy ARP (ARP caching) enabled
By default, FlexConnect ARP caching is enabled in AP-COS 8.3 and above
8.2 is not susceptible, because it did not support AP-COS FlexConnect ARP caching
This problem can affect deployments with AireOS or 9800 series Wireless LAN Controllers, or with Mobility Express
This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices.
AP-COS APs, while in FlexConnect or SDA mode, provide Proxy ARP (ARP caching) services by default. Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification.
Disable FlexConnect Proxy ARP (ARP caching).
If running FlexConnect with AireOS or Mobility Express, use the command config flexconnect arp-caching disable
this command works with 8.9, 8.8, 188.8.131.52, and 8.5 escalation (184.108.40.206 or above)
if using earlier 8.5 code, this command does not work (CSCvp73371), so upgrade to 220.127.116.11 or above
if using 8.3 code, upgrade to 8.3MR5 escalation (18.104.22.168 or above, available from TAC) to get the CSCvp73371 fix
if using SDA Fabric mode with AireOS, use the command config flexconnect arp-caching disable
this command works with 22.214.171.124, 126.96.36.199 and 188.8.131.52
if using earlier 8.5 or 8.8 code, this command does not work (CSCvk79850), so upgrade to 184.108.40.206 / 220.127.116.11 / 18.104.22.168 or above
If running FlexConnect with a 9800 series controller, use the command no arp-caching under wireless profile flex
By disabling FlexConnect Proxy ARP, ARP requests for wireless clients will be broadcast over the air, rather than answered by the APs. This will increase battery consumption somewhat for wireless handheld devices such as Cisco 8821 phones.