This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Eve-NG Palo Alto VM ARP Issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Eve-NG Palo Alto VM ARP Issue

f.kuecuek
L1 Bithead

‎04-20-2024 02:28 PM

Does anybody encounter arp problems in eve-ng on palo firewall with pan-os 11 version ?  As an example, i have a small topology like clientA->routerA-> firewall<-routerB<-clientB , when i try to ping from clientA to clientB, clientA send ARP Request for clientB however firewall does not reply ARP Reqest... (it is not a policy,routing or config issue) i believe something can be wrong with my firewall image. (if clients direcly conneted to firewall without routers then it works)

Has anybody notice such a thing ?

Thanks in advance 

0 Likes Likes
3 REPLIES 3

seb_rupik
L4 Transporter

‎04-22-2024 06:22 AM - edited ‎04-22-2024 06:22 AM

Hi there, 

If the clients are ARP'ing for eachother, are they in the same subnet?

 

It might be useful to share the IP setup of your topology.

 

cheers,

Seb.

0 Likes Likes

f.kuecuek
L1 Bithead
In response to seb_rupik

‎04-22-2024 03:17 PM

fkuecuek_0-1713823926906.png
vpc1 : 192.168.102.10/24  (gateway 192.168.102.1 on router)
eth0/2 : 192.168.102.1/24
eth0/1 : 192.168.101.1/24
firewall eth1/1 : 192.168.101.10/24
firewall eth1/2 : 172.16.1.2/24
vpc2 : 172.16.1.99/24  (gateway 172.16.1.2 on firewall)

From VPC1 and Router i can ping firewall interface eth1/1
From VPC2 i can ping firewall itnerface eth1/2

However from VPC1 i can not ping VPC2, even though there is route for network 192.168.102.0/24 on firewall default virtual router exist. It does not reply ARP Reqest packets comes from Router ( started ping from VPC1)



seb_rupik
L4 Transporter
In response to f.kuecuek

‎04-24-2024 01:36 AM

Hi there,

If VPC1 is ARP'ing for VPC2 it must think it is in the same subnet. A IP stack should be able to look at its own IP configuration and that of the destination and determine via subnet ID and netmask if the destination is in the same subnet (ARP is the correct response here) or if not ARP for the local gateway and have its packet routed via the gateway to the destination.

 

I would double check the netmasks you have configured on the VPC1 side of the network. Also confirm that the IOS router does not have proxy-ARP enabled on its interfaces.

 

cheers,

Seb.

0 Likes Likes
  • 693 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks