09-11-2024 04:38 AM
Hello
We ran into a sporadic issue (once per day) where the communication between the firewall and the router stops for ~30 seconds. A deeper analyze revealed that the firewall has no ARP entry of the router for a short time.
Our ARP ttl is with standard values (1'800 seconds). Adding a static ARP entry fixes the issue, but this does not scale (we have hundred of firewall clusters).
There is a post on reddit which reports the same incident: https://www.reddit.com/r/paloaltonetworks/comments/1cj6uje/palo_alto_losing_mac_address_from_cisco_r...
Did anyone stumble over this issue and found a "real" fix?
09-11-2024 04:54 AM
Hi @JoergSchuetter ,
Was this over an MPLS circuit as described in the Reddit post? When any network device is missing an ARP entry, it immediately sends an ARP request to find it. This happens in milliseconds. I think it is doubtful the PA-445 has an ARP issue because that would impact all IP over Ethernet traffic going through the NGFW. It may be sporadic as you say.
You need to confirm if the NGFW is sending ARP requests or not. If the NGFW does not, it is a bug. If it does and receives no answer, it is a problem with the "router". https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfqCAC
Thanks,
Tom
09-11-2024 05:21 AM
Hello
The affected models are PA-5220 and PA-820. There is no MPLS involved, just an aggregated ethernet via copper/fiber.
The traffic volume is high via that link, hence capturing the data might be a challenge. Any recommendation how to facilitate that on the firewall nodes?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
