- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-23-2016 03:02 AM - edited 11-23-2016 10:33 AM
Hello All,
Need some clarification on ARP table. For some reason, once we swapped the devices from 2020>3020 our ARP table is seen as incomplete but services are working fine withing on that particular external subnet (before they did but we use gratuitous arp) . Also the time out of the "incomplete" entries pretty much a second ( ttl =1):
Cheers,
Myky
11-24-2016 12:23 AM
Ahh, those are IPs used for DNAT on PA?
PA doesn't need those in its table. But he replies to other devices with its MAC address for them. So if you look ARP tables on surrounding devices you will see entries for those IPs with PA mac address.
Why are they in the PA table and displayed as incomplete I don't know.
11-23-2016 11:21 PM
Incomplete means that PA didn't get ARP reply to his ARP query.
Or in other words there are no devices with those IPs in the network configured on this interface.
11-24-2016 12:08 AM - edited 11-24-2016 12:09 AM
Hi,
Thanks! l cannot understand how then it is working:
Let's say on .77 IP we got web server hosted on premise where 1x1 NAT is configured for outside host when they hitting .77
So essentially for half of these IPs 1x1 NAT is in place .126 is a default gateway where .122 is a test PC.
Another thing when l send a gratuitous ARP how the Palo decides to which host to send. Why l don't see other IP, as we got /26 for outside? Palo must know that these are alive
11-24-2016 12:23 AM
Ahh, those are IPs used for DNAT on PA?
PA doesn't need those in its table. But he replies to other devices with its MAC address for them. So if you look ARP tables on surrounding devices you will see entries for those IPs with PA mac address.
Why are they in the PA table and displayed as incomplete I don't know.
11-24-2016 06:27 AM - edited 11-24-2016 09:17 AM
Hi,
This is the very good point! So if the DNAT configured for the 86.xx.xx.72, 86.xx.xx.77 etc PA will reply for the ARP request.
That is why when we changed a PA to the new one, old ARP cache ( old PA MAC address) still was present in ARP table of external DG withing the same subnet, hence no services we available as DG had wrong MAC for these IPs. Will confirm ARP table on the test PC and let you know.
Cheers,
Myky
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!