05-31-2019 09:59 AM
We have two F5 devices configured as active standby behind PA. The issue is on failover F5 failover ARP table on the PA is not updated quickly enough for smooth transition. Is there a way to mitigate this problem and increase ARP update time for that interface only.
05-31-2019 01:13 PM
From the CLI you can set the ARP cache timeout by issueing the command set system setting arp-cache-timeout <value> with the minimum being 60 seconds and the maximum being 65535 seconds. This of course is system wide and can't be adjusted for just one interface.
If you could script something to trigger when your F5 device logs a failover event, in a Slunk for example, you could utilize the API to clear the arp on the interface by issuing the clear arp <interface> command via the API. /api/?type=op&cmd=<clear><arp>interface</arp</clear>
05-31-2019 01:32 PM
We have the same setup (using default arp cache timeouts) and we do not see this issue. everything fails over smoothly
p.s. to see your current arp cache timeout use: show arp all
it appears there is a bug with show system setting arp-cache-timeout (valid command seen here: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/networking-features/arp-cache-timeo...) because when I try that one I get an error but show arp all gives me the info
05-31-2019 02:58 PM
@hshawn Do you use mac masquerading on F5
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
