https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216099#M62617 <P>We are facing some starnge issue .</P><P>We are having an ISP which is connected to sub interface.</P><P>We are trying to repalce it with new one. Same Subnet /29 but different IP. NAT rules also same because same subnet.</P><P>The issue we are facing is when new ISP configured , we are getting the ARP entries for ISP gateway on Palo Alto Sub interface however its expiring after 30 min which is normal arp interval.</P><P>After 30 min ARP is not learning.</P><P>I tried clearing arp. No success.&nbsp;</P><P>Last I tried manually configured static ARP on sub interface and Now The sub interface can reach the gateway IP now.</P><P>It seems after 30 min interval the Palo Alto is not trying to send the ARP request.&nbsp;</P><P>However when I connect my old ISP back it works perfectly. Does some one face similiar issues</P> Thu, 31 May 2018 13:00:50 GMT Roby_Sreejith 2018-05-31T13:00:50Z https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216099#M62617 <P>We are facing some starnge issue .</P><P>We are having an ISP which is connected to sub interface.</P><P>We are trying to repalce it with new one. Same Subnet /29 but different IP. NAT rules also same because same subnet.</P><P>The issue we are facing is when new ISP configured , we are getting the ARP entries for ISP gateway on Palo Alto Sub interface however its expiring after 30 min which is normal arp interval.</P><P>After 30 min ARP is not learning.</P><P>I tried clearing arp. No success.&nbsp;</P><P>Last I tried manually configured static ARP on sub interface and Now The sub interface can reach the gateway IP now.</P><P>It seems after 30 min interval the Palo Alto is not trying to send the ARP request.&nbsp;</P><P>However when I connect my old ISP back it works perfectly. Does some one face similiar issues</P> Thu, 31 May 2018 13:00:50 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216099#M62617 Roby_Sreejith 2018-05-31T13:00:50Z https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216201#M62640 <P>I would double-check your source-NAT policy.&nbsp; When I've seen this happen, it's been because the source-NAT address was inadvertently configured as a subnet entry (x.x.x.x/yy) instead of a single IP address (x.x.x.x).&nbsp; If you include the CIDR mask along with the address, the firewall will think it owns all of the IP addresses in that subnet, including your ISP's address.&nbsp;&nbsp;</P> Thu, 31 May 2018 22:25:08 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216201#M62640 jvalentine 2018-05-31T22:25:08Z https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216225#M62645 <P>I have done debug logs and I could not see ant NAT translation logs.</P><P>Also Immeditaly, once i connect to different ISP it works fine.&nbsp;</P><P>For this new ISP ,it learns ARP dynamically for first time. But after 30 min it expires then it never learns.&nbsp;</P><P>Also if you configure static arp in Palo Alto sub interface it works fine</P> Fri, 01 Jun 2018 07:33:27 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216225#M62645 Roby_Sreejith 2018-06-01T07:33:27Z https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216284#M62665 <P>What will happen when arp expire after 30 min. I could not see palo alto sending arp towards ISP&nbsp;</P> Fri, 01 Jun 2018 14:42:50 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-getting-time-out-after-30-min-on-sub-interface/m-p/216284#M62665 Roby_Sreejith 2018-06-01T14:42:50Z