ARP addresses shown as incomplete on interface configured as egress for Policy Based Forwarding
7345
Created On 12/31/21 03:47 AM - Last Modified 11/10/23 03:17 AM
Symptom
- ARP shown as incomplete on interface configured as egress for PBF.
- The IP addresses of these "ARP" entries does not belong to the local subnet.
- Example: Ethernet 1/1 has IP address of 10.129.72.120/24.
- The ARP shown as incomplete on this interface belongs to external DNS addresses (8.8.8.8).
- Interface ethernet 1/1 is configured as "egress" interface for a PBF rule.
admin@paloalto-FW> show interface all name id vsys zone forwarding tag address ------------------- ----- ---- ---------------- ------------------------ ------ ------------------ ethernet1/1 16 1 L3-Untrust vr:default 0 10.129.72.120/24 ethernet1/3 18 1 L3-Trust vr:default 0 192.168.120.1/24 dedicated-ha1 5 0 ha 0 N/A dedicated-ha2 6 0 ha 0 N/A
admin@paloalto-FW> show arp ethernet1/1 maximum of entries supported : 32000 default timeout: 1800 seconds total ARP entries in table : 6 total ARP entries shown : 6 status: s - static, c - complete, e - expiring, i - incomplete interface ip address hw address port status ttl -------------------------------------------------------------------------------- ethernet1/1 8.8.4.4 (incomplete) ethernet1/1 i 1 ethernet1/1 8.8.8.8 (incomplete) ethernet1/1 i 1 ethernet1/1 10.129.72.1 b4:0c:25:e8:c0:12 ethernet1/1 c 1786
- In global counters (show counter global filter packet-filter yes delta yes) , Packets are dropped due to flow_fwd_l3_noarp
Environment
- Palo Alto Firewalls
- PAN-OS 9.1 and above
- Policy Based Forwarding (PBF)
Cause
- PBF rule is configured with empty next hop.
GUI: Policies > Policy Based Forwarding > (select the PBF rule)
Resolution
- Configure PBF rule with a proper next hop.
- Commit the changes.
GUI: Policies > Policy Based Forwarding > (select the PBF rule)