Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ARP table cache "incomplete"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

ARP table cache "incomplete"

L6 Presenter

Hello All,

 

Need some clarification on ARP table. For some reason, once we swapped the devices from 2020>3020  our ARP table is seen as incomplete but services are working fine withing on that particular external subnet (before they did but we use gratuitous arp) . Also the time out of the "incomplete" entries pretty much a second ( ttl =1):

 

ARP entries_hidden.PNG

 

Cheers,

Myky

1 accepted solution

Accepted Solutions

Ahh, those are IPs used for DNAT on PA?

PA doesn't need those in its table. But he replies to other devices with its MAC address for them. So if you look ARP tables on surrounding devices you will see entries for those IPs with PA mac address.

 

Why are they in the PA table and displayed as incomplete I don't know.

 

 

View solution in original post

4 REPLIES 4

L6 Presenter

Incomplete means that PA didn't get ARP reply to his ARP query.

Or in other words there are no devices with those IPs in the network configured on this interface.

Hi,

 

Thanks! l cannot understand how then it is working:

 

ARP.PNG

Let's say on .77 IP we got web server hosted on premise where 1x1 NAT is configured for outside host when they hitting .77

So essentially for half of these IPs 1x1 NAT is in place .126 is a default gateway where .122 is a test PC.

Another thing when l send a gratuitous ARP how the Palo decides to which host to send. Why l don't see other IP, as we got /26 for outside? Palo must know that these are alive 

Ahh, those are IPs used for DNAT on PA?

PA doesn't need those in its table. But he replies to other devices with its MAC address for them. So if you look ARP tables on surrounding devices you will see entries for those IPs with PA mac address.

 

Why are they in the PA table and displayed as incomplete I don't know.

 

 

Hi,

 

This is the very good point! So if the DNAT configured for the 86.xx.xx.72, 86.xx.xx.77 etc PA will reply for the ARP request. 

That is why when we changed a PA to the new one, old ARP cache ( old PA MAC address) still was present  in ARP table of external DG withing the same subnet, hence no services we available as DG had wrong MAC for these IPs. Will confirm ARP table on the test PC and let you know.

 

Cheers,

Myky

 

  • 1 accepted solution
  • 11841 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!