Causing change in ARP Table Entry (PAN-OS 5.0.8)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Causing change in ARP Table Entry (PAN-OS 5.0.8)

L3 Networker

Hello Everyone,

   One of our Application Support Teams were trying to move from using servers being an ACE to servers behind a NetScaler last night... as part of the ensuing situation I was asked to check and if necessary clear the ARP Table on the PANs (PA-5060's running 5.0.8 in HA Failover)...

   So, I hop on the active PAN and do a 'show arp all' and got these results
ae2.109           w.x.y.z  00:0b:fc:fe:1b:02 ae2            c      756  (results somewhat redacted)

   I asked and was told the ARP Table should be showing a MAC address of 'x:y:z:d:b:4f:77' (don't remember all the values :S)

   I was asked to clear the ARP Table to see if that would clear things up and get to what they needed.

   'Clear all arp' was issued... but the value didn't change...

   I found Bug #54000 (see below) in 5.0.9's release notes... but this isn't quite the situation....

               • 54000—The ARP entries associated with a Layer 2 interface that is a part of a Layer 3

                    VLAN interface were not cleared from the ARP table when the Layer 2 interface went  down.

    Anyone encountered this type of thing before?

Thanks

Art

3 REPLIES 3

L7 Applicator

This does sound like a bug.

You could also try to clear the arp by interface instead of globally.

clear arp ethernet1/1

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks for the help and the suggestion... I had actually started by clearing only a specific interface for fear of what might break (in the  infrastructure not the PANs Smiley Happy) with the clear arp all command.

I will call Tech Support for guidance/help

thanks

Art

Also this is kind of a "side solution" to your main problem, but if the ACEs can send a gratuitous ARP out when the failover happens the PAN firewalls should honor that gratuitous ARP and immediately update their tables. In theory.

  • 3039 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!