This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Causing change in ARP Table Entry (PAN-OS 5.0.8)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Causing change in ARP Table Entry (PAN-OS 5.0.8)

Art
L3 Networker

‎02-20-2014 02:16 PM

Hello Everyone,

   One of our Application Support Teams were trying to move from using servers being an ACE to servers behind a NetScaler last night... as part of the ensuing situation I was asked to check and if necessary clear the ARP Table on the PANs (PA-5060's running 5.0.8 in HA Failover)...

   So, I hop on the active PAN and do a 'show arp all' and got these results
ae2.109           w.x.y.z  00:0b:fc:fe:1b:02 ae2            c      756  (results somewhat redacted)

   I asked and was told the ARP Table should be showing a MAC address of 'x:y:z:d:b:4f:77' (don't remember all the values :S)

   I was asked to clear the ARP Table to see if that would clear things up and get to what they needed.

   'Clear all arp' was issued... but the value didn't change...

   I found Bug #54000 (see below) in 5.0.9's release notes... but this isn't quite the situation....

               • 54000—The ARP entries associated with a Layer 2 interface that is a part of a Layer 3

                    VLAN interface were not cleared from the ARP table when the Layer 2 interface went  down.

    Anyone encountered this type of thing before?

Thanks

Art

0 Likes Likes
3 REPLIES 3

pulukas
L7 Applicator

‎02-21-2014 01:30 PM

This does sound like a bug.

You could also try to clear the arp by interface instead of globally.

clear arp ethernet1/1

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Art
L3 Networker
In response to pulukas

‎02-24-2014 01:29 PM

Thanks for the help and the suggestion... I had actually started by clearing only a specific interface for fear of what might break (in the  infrastructure not the PANs Smiley Happy) with the clear arp all command.

I will call Tech Support for guidance/help

thanks

Art

0 Likes Likes

ericgearhart
L4 Transporter
In response to Art

‎02-25-2014 06:18 AM

Also this is kind of a "side solution" to your main problem, but if the ACEs can send a gratuitous ARP out when the failover happens the PAN firewalls should honor that gratuitous ARP and immediately update their tables. In theory.

0 Likes Likes
  • 2734 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks