Firewall is Dropping Packets from LAN for No ARP
36181
Created On 02/08/19 00:36 AM - Last Modified 09/28/20 19:30 PM
Symptom
- Firewall is dropping packets from LAN/Trust going out to the internet.
- Packets being dropped for No ARP.
-
flow_fwd_l3_noarp 7 0 drop flow forward Packets dropped: no ARP
- ARP table shows incomplete entries. Ex:
> show arp all maximum of entries supported : 2500 default timeout: 1800 seconds total ARP entries in table : 1 total ARP entries shown : 1 status: s - static, c - complete, e - expiring, i - incomplete interface ip address hw address port status ttl -------------------------------------------------------------------------------- ethernet1/4 10.108.121.1 (incomplete) ethernet1/4 i 1
Environment
- PA-820
- Any OS Version
- NAT configured (Source and Destination) correctly
Cause
- The client has its gateway configured/pointed to a switch (or another device) instead of the firewalls LAN interface.
- This causes switch to forward the packets to the firewall but not the ARP packets that the client sends out.
- Thus the firewall is unable to get ARP for the clients IP and gets incomplete entries in the ARP table.
Resolution
Make sure that the clients gateway configuration is pointed to the firewalls LAN interface.
- Open client CMD terminal
- Use ipconfig or ifconfig (MAC)
- Check Gateway IP
- If the IP listed is a switch or a device other than the Firewall LAN interface then it needs to be changed to the Firewalls LAN interface IP
Additional Information
Improperly configured NAT policy is usually the cause of issues like this
Please reference this document for that case:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla2CAC