topic Re: Azure No Arp in VM-Series in the Public Cloud

Azure No Arp

LukeBullimore — Mon, 29 Apr 2019 15:20:06 GMT

Hey All,

I'm coming across a weird issue here.

We have two subents in Azure. Let's call them Subnet1 and Subnet2

Subnet1 has a UDR to point traffic to the internal interface of the firewall.

This works, we see the traffic come into the firewall. We don't see any return traffic from the server in subnet 2. There is a static route pointing to the azure fabric .1 address.

When I do a flow basic, the firewall is unable to send the traffic to the gateway (azure .1 address) because there is no ARP.

Route found, interface ethernet1/2, zone 2, nexthop 10.38.225.1

Resolve ARP for IP 10.38.225.1 on interface ethernet1/2

ARP pending

Packet dropped, no ARP

HELP!

Re: Azure No Arp

jmeurer — Mon, 29 Apr 2019 15:27:21 GMT

Do you have a corresponding route in subnet 2 pointing to the firewall for subnet 1? If you do not, azure will assymetrically return the traffic directly to the server rather than return routing through the firewall due to the VNET route.

Re: Azure No Arp

LukeBullimore — Mon, 29 Apr 2019 15:31:53 GMT

Hi @jmeurer

Thanks for your input. Yes the UDR for subent 2 is there.

Any other ideas?

Thanks,

Luke.

Re: Azure No Arp

jmeurer — Mon, 29 Apr 2019 15:40:41 GMT

I assume the firewall has corresponding routes for both subnets pointing to the first IP of the internal subnet the firewall is attached two.

Also, check to ensure the interface has IP Forwarding enabled on the azure side. If you do need to change this setting. Reboot the firewall. I have seen it not apply until after reboot.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#enable-or-disable-ip-forwarding

From there, double check your NSGs.

Since this intrazone traffic, it should be allowed, but you may not be logging it due to the inherent rule. Override logging on intrazone, it may give you some further information in the Monitor.

Re: Azure No Arp

LukeBullimore — Mon, 29 Apr 2019 15:49:26 GMT

Hey @jmeurer

Firewall routes exist and are correct.

IP forwarding enabled on all interfaces. I've also rebooted the firewall.

nSGs are all allowed.

I've done logging on the policies but just show "bytes received: 0"

I've tried with a NAT rule to source NAT and not, makes no difference.

Re: Azure No Arp

jmeurer — Mon, 29 Apr 2019 15:53:54 GMT

You have hit all of the usual culprits. Time to get a TAC case open.

Re: Azure No Arp

dmaynard — Mon, 29 Apr 2019 16:36:20 GMT

Is Subnet 2 a gateway subnet?

Re: Azure No Arp

LukeBullimore — Tue, 30 Apr 2019 07:53:22 GMT

Hey @dmaynard

Nope! It's not a gateway subnet.

Re: Azure No Arp

LukeBullimore — Tue, 30 Apr 2019 13:56:32 GMT

Found out the issue.. the static routes on the firewall were pointing to each .1 address of the subnet rather than the .1 address of the address range assigned to the VNET

Re: Azure No Arp

fatboy1607 — Tue, 10 Mar 2020 14:12:39 GMT

Can you elaborate little bit ? you are saying you pointed static route on Palo Alto to VNET .1 IP ? and not first IP in subnet of interface of firewall for example eth2 ?

Re: Azure No Arp

ashleyk — Thu, 02 Jul 2020 16:39:08 GMT

Hello,

I had the same problem and managed to get it sorted. I orignally was this accepted answer but didnt really understand it.

Take a look at my post and it might clear things up.
https://live.paloaltonetworks.com/t5/general-topics/azure-palo-alto-arp-not-found/m-p/336411/thread-id/84754/highlight/false#M84756

Thanks