We are facing some starnge issue .
We are having an ISP which is connected to sub interface.
We are trying to repalce it with new one. Same Subnet /29 but different IP. NAT rules also same because same subnet.
The issue we are facing is when new ISP configured , we are getting the ARP entries for ISP gateway on Palo Alto Sub interface however its expiring after 30 min which is normal arp interval.
After 30 min ARP is not learning.
I tried clearing arp. No success.
Last I tried manually configured static ARP on sub interface and Now The sub interface can reach the gateway IP now.
It seems after 30 min interval the Palo Alto is not trying to send the ARP request.
However when I connect my old ISP back it works perfectly. Does some one face similiar issues
I would double-check your source-NAT policy. When I've seen this happen, it's been because the source-NAT address was inadvertently configured as a subnet entry (x.x.x.x/yy) instead of a single IP address (x.x.x.x). If you include the CIDR mask along with the address, the firewall will think it owns all of the IP addresses in that subnet, including your ISP's address.
I have done debug logs and I could not see ant NAT translation logs.
Also Immeditaly, once i connect to different ISP it works fine.
For this new ISP ,it learns ARP dynamically for first time. But after 30 min it expires then it never learns.
Also if you configure static arp in Palo Alto sub interface it works fine
What will happen when arp expire after 30 min. I could not see palo alto sending arp towards ISP
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!