ARP (incomplete) with system log "Received conflicting ARP on interface ethernet1/1 indicating duplicate IP"
29488
Created On 06/21/22 09:16 AM - Last Modified 10/06/22 22:08 PM
Symptom
- Source NAT rule is created with translated source address as a subnet overlapping with egress/destination Interface.
For ex:
Firewall interface is ethernet1/1. Its IP is 10.129.72.126/24
Firewall interface is ethernet1/1. Its IP is 10.129.72.126/24
- There is a S-NAT rule that translates source to 10.0.0.0/8 subnet which is overlapping with IP subnet on eth1/1.
- Pinging Next Hop: 10.129.72.130, we see 100% packet loss.
admin@Lab70-126-PA-5280> ping source 10.129.72.126 host 10.129.72.130 PING 10.129.72.130 (10.129.72.130) from 10.129.72.126 : 56(84) bytes of data. ^C --- 10.129.72.130 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
- Running cmd show arp all we see ARP Incomplete.
admin@Lab70-126-PA-5280> show arp all maximum of entries supported : 128000 default timeout: 1800 seconds total ARP entries in table : 1 total ARP entries shown : 1 status: s - static, c - complete, e - expiring, i - incomplete interface ip address hw address port status ttl -------------------------------------------------------------------------------- ethernet1/1 10.129.72.130 (incomplete) ethernet1/1 i 1
- System logs show:
2022/06/21 01:24:10 info general general 0 Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d 2022/06/21 01:24:00 info general general 0 Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d 2022/06/21 01:23:50 info general general 0 Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d 2022/06/21 01:23:25 info general general 0 Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d 2022/06/21 01:23:15 info general general 0 Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d
- pan_packet_diag with log feature flow arp shows that someone is using the IP address, which firewall is using in NAT rule.
In response, firewall sends gratuitous ARP broadcasting that 10.129.72.130 is at firewall MAC.
Received ARP packet from port ethernet1/1
Packet decoded dump:
L2: 00:50:56:9b:ab:6d->94:56:41:37:d4:40, type 0x0806
ARP: hardware type 0x0001
protocol type 0x0800
hardware size 6
protocol size 4
opcode REPLY
sender mac address 00:50:56:9b:ab:6d
sender ip address 10.129.72.130
target mac address 94:56:41:37:d4:40
target ip address 10.129.72.126
ARP packet sent from translated IP 10.129.72.130 in NAT rule index 0 in vsys 1
MAC not of own box00:50:56:9b:ab:6d
Received conflicting ARP on interface ethernet1/1,indicating duplicate IP 10.129.72.130, sender mac 00:50:56:9b:ab:6d
Broadcast ARP announcement packet on interface 64
Packet decoded dump:
L2: 94:56:41:37:d4:40->ff:ff:ff:ff:ff:ff, type 0x0806
ARP: hardware type 0x0001
protocol type 0x0800
hardware size 6
protocol size 4
opcode REPLY
sender mac address 94:56:41:37:d4:40
sender ip address 10.129.72.130
target mac address 94:56:41:37:d4:40
target ip address 10.129.72.130
Environment
- Palo Alto Firewall configured with source NAT rule in which the translated source address is overlapping with egress/destination Interface subnet.
Cause
- This is because firewall performs proxy ARP for the translated source subnet and thus it will respond to any ARP request for IPs in this subnet.
Resolution
- Fix the S-NAT rule with correct translated IP and subnet.
Additional Information
- For more information on proxy ARP: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/proxy-arp-for-nat-address-pools