This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ARP table cache "incomplete"

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

ARP table cache "incomplete"

Go to solution
TranceforLife
L6 Presenter

‎11-23-2016 03:02 AM - edited ‎11-23-2016 10:33 AM

Hello All,

 

Need some clarification on ARP table. For some reason, once we swapped the devices from 2020>3020  our ARP table is seen as incomplete but services are working fine withing on that particular external subnet (before they did but we use gratuitous arp) . Also the time out of the "incomplete" entries pretty much a second ( ttl =1):

 

ARP entries_hidden.PNG

 

Cheers,

Myky

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
santonic
L6 Presenter
In response to TranceforLife

‎11-24-2016 12:23 AM

Ahh, those are IPs used for DNAT on PA?

PA doesn't need those in its table. But he replies to other devices with its MAC address for them. So if you look ARP tables on surrounding devices you will see entries for those IPs with PA mac address.

 

Why are they in the PA table and displayed as incomplete I don't know.

 

 

View solution in original post

4 REPLIES 4

Go to solution
santonic
L6 Presenter

‎11-23-2016 11:21 PM

Incomplete means that PA didn't get ARP reply to his ARP query.

Or in other words there are no devices with those IPs in the network configured on this interface.

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to santonic

‎11-24-2016 12:08 AM - edited ‎11-24-2016 12:09 AM

Hi,

 

Thanks! l cannot understand how then it is working:

 

ARP.PNG

Let's say on .77 IP we got web server hosted on premise where 1x1 NAT is configured for outside host when they hitting .77

So essentially for half of these IPs 1x1 NAT is in place .126 is a default gateway where .122 is a test PC.

Another thing when l send a gratuitous ARP how the Palo decides to which host to send. Why l don't see other IP, as we got /26 for outside? Palo must know that these are alive 

0 Likes Likes

Go to solution
santonic
L6 Presenter
In response to TranceforLife

‎11-24-2016 12:23 AM

Ahh, those are IPs used for DNAT on PA?

PA doesn't need those in its table. But he replies to other devices with its MAC address for them. So if you look ARP tables on surrounding devices you will see entries for those IPs with PA mac address.

 

Why are they in the PA table and displayed as incomplete I don't know.

 

 

Go to solution
TranceforLife
L6 Presenter
In response to santonic

‎11-24-2016 06:27 AM - edited ‎11-24-2016 09:17 AM

Hi,

 

This is the very good point! So if the DNAT configured for the 86.xx.xx.72, 86.xx.xx.77 etc PA will reply for the ARP request. 

That is why when we changed a PA to the new one, old ARP cache ( old PA MAC address) still was present  in ARP table of external DG withing the same subnet, hence no services we available as DG had wrong MAC for these IPs. Will confirm ARP table on the test PC and let you know.

 

Cheers,

Myky

 

0 Likes Likes
  • 1 accepted solution
  • 11841 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks