Showing results for 
Search instead for 
Did you mean: 

Who rated this post

Azure Palo Alto - ARP Not Found

L1 Bithead



Im having a problem with my PA deployment in Azure where i get ARP Not Found counters increase. I can normally resolve the issue by manually adding an ARP entry to the interface with the MAC of `12:34:56:78:9a:bc` but its really not a solution, rather a workaround.


arch (2).png

The architecture is similar to the above. My Azure PointToSite Gateway gives has a client pool of
I can peer the spoke network and setup the routing no problem, however unless i explicitly add the spoke VM IP address ( to the ARP table for ethernet1/2, the traffic wont get there.



From a linux VM connected to the Gateway, i get allocated From this VM i can SSH into the spoke machine at via the PA. Only once ive added the 12:34:56:78:9a:bc ARP entry to ethernet1/2 and only once ive added my client address mac 12:34:56:78:9a:bc to ethernet1/3. Otherwise the respective interfaces No ARP counters increase when i run `show interface ethernet1/x'.




This is just a development environment (for now) so ive disabled most NSGs. Ive set my security policy to allow everything.

Why does my connection not work unless i add in the ARP manually? This isnt going to be feasible long term, I cant add an ARP entry for every endpoint in every spoke.


My entire infrastructure is deployed via Terraform.

Looking at this (unresolved) post, it seems that im not the only person having problems -


Also there somebody else was having ARP problems with Azure, but they answered their own question and it didnt really help.

I dont think the problem is related to my VPN. There is another situation where No ARP appears.

I tried setting up the untrusted subnet access as per

I created an Azure Public IP, added it to the untrusted NIC. I added the private and public (secondary) IPs to the ethernet1/1 configuration. I then setup a NAT rule to translate the traffic to that public IP address.



I have routes on spoke to send all traffic to the PA. On the PA i have a static route which sends traffic to ethernet1/1 by default ( From the spoke VM if i ping, i see No Arp counts increating on the ethernet1/1 interface. The NAT rule is getting hit by the looks of it. Its one thing to add a manual ARP entry to the Azure fabric MAC for Azure resources, but i cant manually do that for public internet resources.


Here is the dashboard to show what verison of the PA i am using:




These are the VM Series config values:


vm_size = "Standard_D3_v2"
sku = "bundle2"
publisher = "paloaltonetworks"
product = "vmseries1"


Deployed in the UK South region.


PANOS Version seems to be 9.1.0



When i run, `show interface all`, all of the interfaces have MAC addresses assigned. They are not the standard `12:34:56:78:9a:bc` address.



Im new to PaloAlto, so im hoping there is something simple im missing here. Im finding it a bit tricky as i thought Azure was meant to handle the layer two stuff.


Who rated this post