Arp getting time out after 30 min on sub interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Arp getting time out after 30 min on sub interface

L4 Transporter

We are facing some starnge issue .

We are having an ISP which is connected to sub interface.

We are trying to repalce it with new one. Same Subnet /29 but different IP. NAT rules also same because same subnet.

The issue we are facing is when new ISP configured , we are getting the ARP entries for ISP gateway on Palo Alto Sub interface however its expiring after 30 min which is normal arp interval.

After 30 min ARP is not learning.

I tried clearing arp. No success. 

Last I tried manually configured static ARP on sub interface and Now The sub interface can reach the gateway IP now.

It seems after 30 min interval the Palo Alto is not trying to send the ARP request. 

However when I connect my old ISP back it works perfectly. Does some one face similiar issues

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
3 REPLIES 3

L7 Applicator

I would double-check your source-NAT policy.  When I've seen this happen, it's been because the source-NAT address was inadvertently configured as a subnet entry (x.x.x.x/yy) instead of a single IP address (x.x.x.x).  If you include the CIDR mask along with the address, the firewall will think it owns all of the IP addresses in that subnet, including your ISP's address.  

I have done debug logs and I could not see ant NAT translation logs.

Also Immeditaly, once i connect to different ISP it works fine. 

For this new ISP ,it learns ARP dynamically for first time. But after 30 min it expires then it never learns. 

Also if you configure static arp in Palo Alto sub interface it works fine

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com

What will happen when arp expire after 30 min. I could not see palo alto sending arp towards ISP 

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
  • 3520 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!