Incomplete ARP entry on firewall

Incomplete ARP entry on firewall

1819
Created On 12/02/22 05:29 AM - Last Modified 04/01/26 06:10 AM


Symptom


  • PAN-OS firewall shows incomplete ARP entry for an IP address in its ARP table.

Environment


  • PAN-OS Firewall connected to Layer 3 devices (either directly or indirectly via a Layer 2 switch).

Cause


  • This is due to a misconfiguration of NAT in the firewall, wherein , the IP for which incompelete ARP entry is seen, has been configured as the Destination IP Address in one of the NAT policies in the firewall.
  • This causes a Layer 2 loop for ARP in the firewall, resultantly, the ARP process (ARP Request from firewall to neighbouring devices and the replies back to the Firewall) never gets completed successfully. (So basically, we expect the firewall to send an ARP request for an IP which is locally configured on the firewall.)
  • Below packet-diag's last log confirms this:

The very last line in the output indicates that the Firewall is trying to send an ARP for the IP 192.168.0.1
The same IP has been configured in the Destination IP field in the firewall's NAT policy as below:



  • This configuration is wrong causing the ARP process to fail and ultimately this shows an INCOMPLETE ARP in the ARP table of the firewall, causing the Ping to 192.168.0.1 from the firewall to fail.

    == 2022-12-02 19:08:55.962 +0800 ==
    Packet received at ingress stage, tag 0, type ORDERED
    Packet info: len 60 port 17 interface 17 vsys 1
      wqe index 59400 packet 0x0xc003b84e40, HA: 0, IC: 0
    Packet decoded dump:
    L2:     00:50:56:9b:cb:b2->00:50:56:9b:03:6e, type 0x0806
    ARP:    hardware type 0x0001
            protocol type 0x0800
            hardware size 6
            protocol size 4
            opcode REQUEST
            sender mac address 00:50:56:9b:cb:b2
            sender ip address 192.168.0.1
            target mac address 00:50:56:9b:03:6e
            target ip address 192.168.0.254
    No flow lookup for packet, continue with forwarding
    Forwarding lookup, ingress interface 17
    L3 mode, router 1
    Enqueue packet to ARP process

    ==
    Received ARP packet from port ethernet1/2
    Packet decoded dump:
    L2:     00:50:56:9b:cb:b2->00:50:56:9b:03:6e, type 0x0806
    ARP:    hardware type 0x0001
            protocol type 0x0800
            hardware size 6
            protocol size 4
            opcode REQUEST
            sender mac address 00:50:56:9b:cb:b2
            sender ip address 192.168.0.1
            target mac address 00:50:56:9b:03:6e
            target ip address 192.168.0.254
    ARP packet sent from translated IP 192.168.0.1 in NAT rule index 0 in vsys 1
    MAC not of own box00:50:56:9b:cb:b2
    Received conflicting ARP on interface ethernet1/2,indicating duplicate IP 192.168.0.1, sender mac 00:50:56:9b:cb:b2
    Broadcast ARP announcement packet on interface 17
    Packet decoded dump:
    L2:     00:50:56:9b:03:6e->ff:ff:ff:ff:ff:ff, type 0x0806
    ARP:    hardware type 0x0001
            protocol type 0x0800
            hardware size 6
            protocol size 4
            opcode REQUEST
            sender mac address 00:50:56:9b:03:6e
            sender ip address 192.168.0.1
            target mac address 00:50:56:9b:03:6e
            target ip address 192.168.0.1
    Transmit packet size 46 on port 17

    ==
    packet after platform encap (TX):
            Packet:   0xe010952f00
    Buffer Pointer:   0xc003b84e40
     Packet Length:   60
        Input Port:   17
               QoS:   0
             Word2:   0x 80e200001100200
               Tag:   0
          Tag type:   1
               Grp:   5
         L2 offset:   0
    00000000: ff ff ff ff ff ff 00 50  56 9b 03 6e 08 06 00 01    .......P V..n....
    00000010: 08 00 06 04 00 01 00 50  56 9b 03 6e c0 a8 00 01    .......P V..n....
    00000020: 00 50 56 9b 03 6e c0 a8  00 01 00 00 00 00 00 00    .PV..n.. ........
    00000030: 00 00 00 00 00 00 00 00  00 00 00 00                ........ ....



    == 2022-12-02 19:08:55.963 +0800 ==
    Packet received at ingress stage, tag 0, type ORDERED
    Packet info: len 60 port 16 interface 16 vsys 1
      wqe index 59399 packet 0x0xc006768400, HA: 0, IC: 0
    Packet decoded dump:
    L2:     00:50:56:9b:03:6e->ff:ff:ff:ff:ff:ff, type 0x0806
    ARP:    hardware type 0x0001
            protocol type 0x0800
            hardware size 6
            protocol size 4
            opcode REQUEST
            sender mac address 00:50:56:9b:03:6e
            sender ip address 192.168.0.1
            target mac address 00:50:56:9b:03:6e
            target ip address 192.168.0.1
    No flow lookup for packet, continue with forwarding
    Forwarding lookup, ingress interface 16
    L3 mode, router 1
    Enqueue packet to ARP process

    ==
    Received ARP packet from port ethernet1/2
    Packet decoded dump:
    L2:     00:50:56:9b:03:6e->ff:ff:ff:ff:ff:ff, type 0x0806
    ARP:    hardware type 0x0001
            protocol type 0x0800
            hardware size 6
            protocol size 4
            opcode REQUEST
            sender mac address 00:50:56:9b:03:6e
            sender ip address 192.168.0.1
            target mac address 00:50:56:9b:03:6e
            target ip address 192.168.0.1
    ARP packet parse complete, learn: no, target myself: no, gratuitous ARP: yes, b_vaddr: no, auto mac detect: yes
    Packet dropped, ARP not for interface ethernet1/2


    == 2022-12-02 19:08:55.963 +0800 ==
    Packet received at ingress stage, tag 0, type ORDERED
    Packet info: len 60 port 16 interface 16 vsys 1
      wqe index 59400 packet 0x0xc003a9df00, HA: 0, IC: 0
    Packet dropped, gratuitous send to self, possible loop? <<<<<<<<<<<<<

Resolution


Alter the NAT policy such that the IP address for which the ARP entry is seen incomplete is not referenced in the NAT policy itself.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sa1SCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail