GW ARP reply..

R.Lingwal — Mon, 17 Feb 2025 15:46:58 GMT

From the tcpdump output, the device with the MAC address b4:0c:25:e0:40:10(FW being the GW) is repeatedly broadcasting ARP requests, asking for the MAC addresses of multiple IPs within the 10.248.8.x range. It is sending these requests to identify the MAC addresses of devices associated with those IP addresses. This is resulting connectivity issues in the network. FW is managed by panorama. one host which has IP 10.248.15.226 is getting ARP resolved by the GW mac. and this IP is not pinging.

fr2-oob-106-sw01...12:10:36:(vrf:MGMT)#sh ip arp
Address Age (sec) Hardware Addr Interface
10.248.8.1 0:00:00 b40c.25e0.4010 Vlan2008, Port-Channel106
10.248.8.200 0:00:00 000c.29be.2221 Vlan2008, Port-Channel106
10.248.8.254 0:00:00 5254.0070.1722 Vlan2008, Port-Channel106
10.248.15.57 0:23:53 000c.29ac.6fe8 Vlan2008, Port-Channel106
10.248.15.58 0:05:22 000c.291f.727d Vlan2008, Port-Channel106
10.248.15.226 0:06:37 b40c.25e0.4010 Vlan2008, Port-Channel106

12:40:20.465309 00:0c:29:1f:72:7d > 2c:dd:e9:57:9d:d8, ethertype ARP (0x0806), length 60: Request who-has 10.248.8.20 tell 10.248.15.58, length 46
12:40:21.802244 b4:0c:25:e0:40:10 > Broadcast, ethertype ARP (0x0806), length 56: Request who-has 10.248.15.57 (Broadcast) tell 10.248.8.1, length 42
12:40:23.802144 b4:0c:25:e0:40:10 > Broadcast, ethertype ARP (0x0806), length 56: Request who-has 10.248.10.86 (Broadcast) tell 10.248.8.1, length 42
12:40:28.801900 b4:0c:25:e0:40:10 > Broadcast, ethertype ARP (0x0806), length 56: Request who-has 10.248.9.238 (Broadcast) tell 10.248.8.1, length 42
12:40:28.801954 b4:0c:25:e0:40:10 > Broadcast, ethertype ARP (0x0806), length 56: Request who-has 10.248.9.26 (Broadcast) tell 10.248.8.1, length 42
12:40:28.801975 b4:0c:25:e0:40:10 > Broadcast, ethertype ARP (0x0806), length 56: Request who-has 10.248.15.18 (Broadcast) tell 10.248.8.1, length 42
12:40:28.801995 b4:0c:25:e0:40:10 > Broadcast, ethertype ARP (0x0806), length 56: Request who-has 10.248.10.21 (Broadcast) tell 10.248.8.1, length 42
12:40:28.802019 b4:0c:25:e0:40:10 > Broadcast, ethertype ARP (0x0806), length 56: Request who-has 10.248.10.11 (Broadcast) tell 10.248.8.1, length 42
12:40:29.169272 00:0c:29:1f:72:7d > 2c:dd:e9:57:8d:e0, ethertype ARP (0x0806), length 60: Request who-has 10.248.8.19 tell 10.248.15.58, length 46
12:40:29.226796 2c:dd:e9:57:9d:d8 > 00:0c:29:3c:51:b6, ethertype ARP (0x0806), length 60: Request who-has 10.248.15.61 (00:0c:29:3c:51:b6) tell 10.248.8.20,

Re: GW ARP reply..

JayGolf — Thu, 20 Feb 2025 01:57:35 GMT

Hi @R.Lingwal ,

Are you still experiencing issues?

Compare the output of "show arp all | match 10.248.15.226" on the Palo with where your switch has 10.248.15.226 mapped to. What does it look like? Are multiple devices showing up?

Have you tried clearing the arp cache on the palo and switch?

topic GW ARP reply.. in Next-Generation Firewall Discussions

GW ARP reply..

Re: GW ARP reply..