One of our Application Support Teams were trying to move from using servers being an ACE to servers behind a NetScaler last night... as part of the ensuing situation I was asked to check and if necessary clear the ARP Table on the PANs (PA-5060's running 5.0.8 in HA Failover)...
So, I hop on the active PAN and do a 'show arp all' and got these results
ae2.109 w.x.y.z 00:0b:fc:fe:1b:02 ae2 c 756 (results somewhat redacted)
I asked and was told the ARP Table should be showing a MAC address of 'x:y:z:d:b:4f:77' (don't remember all the values :S)
I was asked to clear the ARP Table to see if that would clear things up and get to what they needed.
'Clear all arp' was issued... but the value didn't change...
I found Bug #54000 (see below) in 5.0.9's release notes... but this isn't quite the situation....
• 54000—The ARP entries associated with a Layer 2 interface that is a part of a Layer 3
VLAN interface were not cleared from the ARP table when the Layer 2 interface went down.
Anyone encountered this type of thing before?
This does sound like a bug.
You could also try to clear the arp by interface instead of globally.
clear arp ethernet1/1
Thanks for the help and the suggestion... I had actually started by clearing only a specific interface for fear of what might break (in the infrastructure not the PANs :smileyhappy:) with the clear arp all command.
I will call Tech Support for guidance/help
Also this is kind of a "side solution" to your main problem, but if the ACEs can send a gratuitous ARP out when the failover happens the PAN firewalls should honor that gratuitous ARP and immediately update their tables. In theory.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!