Azure No Arp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure No Arp

L5 Sessionator

Hey All,

 

I'm coming across a weird issue here.

 

We have two subents in Azure. Let's call them Subnet1 and Subnet2

 

Subnet1 has a UDR to point traffic to the internal interface of the firewall.

 

This works, we see the traffic come into the firewall. We don't see any return traffic from the server in subnet 2. There is a static route pointing to the azure fabric .1 address.

 

When I do a flow basic, the firewall is unable to send the traffic to the gateway (azure .1 address) because there is no ARP.

 

Route found, interface ethernet1/2, zone 2, nexthop 10.38.225.1

Resolve ARP for IP 10.38.225.1 on interface ethernet1/2

ARP pending

Packet dropped, no ARP

 

HELP!

1 accepted solution

Accepted Solutions

Found out the issue.. the static routes on the firewall were pointing to each .1 address of the subnet rather than the .1 address of the address range assigned to the VNET

View solution in original post

10 REPLIES 10

L4 Transporter

Do you have a corresponding route in subnet 2 pointing to the firewall for subnet 1?  If you do not, azure will assymetrically return the traffic directly to the server rather than return routing through the firewall due to the VNET route.

Hi @jmeurer 

 

Thanks for your input. Yes the UDR for subent 2 is there.

 

Any other ideas?

 

Thanks,

Luke.

I assume the firewall has corresponding routes for both subnets pointing to the first IP of the internal subnet the firewall is attached two.

 

Also, check to ensure the interface has IP Forwarding enabled on the azure side.  If you do need to change this setting.  Reboot the firewall.  I have seen it not apply until after reboot.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#enable-or-d...

 

From there, double check your NSGs.

 

Since this intrazone traffic, it should be allowed, but you may not be logging it due to the inherent rule.  Override logging on intrazone, it may give you some further information in the Monitor.

Hey @jmeurer 

 

Firewall routes exist and are correct.

 

IP forwarding enabled on all interfaces. I've also rebooted the firewall.

 

nSGs are all allowed.

 

I've done logging on the policies but just show "bytes received: 0"

 

I've tried with a NAT rule to source NAT and not, makes no difference.

You have hit all of the usual culprits.  Time to get a TAC case open.

Is Subnet 2 a gateway subnet?

Hey @dmaynard 

 

Nope! It's not a gateway subnet.

Found out the issue.. the static routes on the firewall were pointing to each .1 address of the subnet rather than the .1 address of the address range assigned to the VNET

Can you elaborate little bit ?  you are saying you pointed static route on Palo Alto to VNET  .1 IP ? and not first IP in subnet of interface of firewall for example eth2 ?

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

Hello,

 

I had the same problem and managed to get it sorted. I orignally was this accepted answer but didnt really understand it.

Take a look at my post and it might clear things up.
https://live.paloaltonetworks.com/t5/general-topics/azure-palo-alto-arp-not-found/m-p/336411/thread-...

 

Thanks

  • 1 accepted solution
  • 15354 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!