https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128668#M46714 <P>Hi,</P><P>&nbsp;</P><P>Thanks! l cannot understand how then it is working:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ARP.PNG" style="width: 551px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6484iD43DABF4DECBF520/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ARP.PNG" alt="ARP.PNG" /></span></P><P>Let's say on .77 IP we got web server hosted on premise where 1x1 NAT is configured for outside host when they hitting .77</P><P>So essentially for half of these IPs&nbsp;1x1 NAT is in place .126 is a default gateway&nbsp;where .122 is a test PC.</P><P>Another&nbsp;thing when l send a gratuitous&nbsp;ARP how the Palo decides to which host to send. Why l don't&nbsp;see other IP, as we got /26 for outside? Palo must know that these are alive&nbsp;</P> Thu, 24 Nov 2016 08:09:42 GMT TranceforLife 2016-11-24T08:09:42Z https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128411#M46693 <P>Hello All,</P><P>&nbsp;</P><P>Need some clarification on ARP table. For some reason, once we swapped the devices from 2020&gt;3020 &nbsp;our ARP table is seen as incomplete but services are working fine withing on that particular external subnet (before they did but we use gratuitous arp) . Also the time out of the "incomplete" entries pretty&nbsp;much a second (&nbsp;ttl&nbsp;=1):</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ARP entries_hidden.PNG" style="width: 595px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6473i975FDDA12AA5FE6C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ARP entries_hidden.PNG" alt="ARP entries_hidden.PNG" /></span></P><P>&nbsp;</P><P>Cheers,</P><P>Myky</P> Wed, 23 Nov 2016 18:33:03 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128411#M46693 TranceforLife 2016-11-23T18:33:03Z https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128646#M46710 <P>Incomplete means that PA didn't get ARP reply to his ARP query.</P><P>Or in other words there are no devices with those IPs in the network configured on this interface.</P> Thu, 24 Nov 2016 07:21:45 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128646#M46710 santonic 2016-11-24T07:21:45Z https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128668#M46714 <P>Hi,</P><P>&nbsp;</P><P>Thanks! l cannot understand how then it is working:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ARP.PNG" style="width: 551px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6484iD43DABF4DECBF520/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ARP.PNG" alt="ARP.PNG" /></span></P><P>Let's say on .77 IP we got web server hosted on premise where 1x1 NAT is configured for outside host when they hitting .77</P><P>So essentially for half of these IPs&nbsp;1x1 NAT is in place .126 is a default gateway&nbsp;where .122 is a test PC.</P><P>Another&nbsp;thing when l send a gratuitous&nbsp;ARP how the Palo decides to which host to send. Why l don't&nbsp;see other IP, as we got /26 for outside? Palo must know that these are alive&nbsp;</P> Thu, 24 Nov 2016 08:09:42 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128668#M46714 TranceforLife 2016-11-24T08:09:42Z https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128671#M46715 <P>Ahh, those are IPs used for DNAT on PA?</P><P>PA doesn't need those in its table. But he replies to other devices with its MAC address for them. So if you look ARP tables on surrounding devices you will see entries for those IPs with PA mac address.</P><P>&nbsp;</P><P>Why are they in the PA table and displayed as incomplete I don't know.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 24 Nov 2016 08:23:59 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128671#M46715 santonic 2016-11-24T08:23:59Z https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128720#M46719 <P>Hi,</P><P>&nbsp;</P><P>This is the very good point! So if the DNAT configured for the&nbsp;86.xx.xx.72,&nbsp;<SPAN>86.xx.xx.77 etc PA will reply for the&nbsp;ARP request.&nbsp;</SPAN></P><P><SPAN>That is why when we changed a PA to the new one, old ARP cache ( old&nbsp;PA MAC address) still was present &nbsp;in ARP table of external DG withing the same subnet, hence no services we available as DG had wrong MAC for these IPs. Will confirm ARP table on the&nbsp;test PC and let you know.</SPAN></P><P>&nbsp;</P><P><SPAN>Cheers,</SPAN></P><P><SPAN>Myky</SPAN></P><P>&nbsp;</P> Thu, 24 Nov 2016 17:17:57 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-table-cache-quot-incomplete-quot/m-p/128720#M46719 TranceforLife 2016-11-24T17:17:57Z