AWS virtual firewall cannot get ARP and remote MAC address is incomplete
1257
Created On 06/13/24 07:08 AM - Last Modified 06/13/24 07:40 AM
Symptom
This may happen in case of deploying a brand new firewall or in case of restoring a backup.
The AWS VM-Series firewall is configured with a static IP address and it cannot reach its default gateway.
The AWS VM-Series firewall CLI shows the remote device MAC address as 'incomplete'
> show arp all maximum of entries supported : 2500 default timeout: 1800 seconds total ARP entries in table : 1 total ARP entries shown : 1 status: s - static, c - complete, e - expiring, i - incomplete interface ip address hw address port status ttl -------------------------------------------------------------------------------- ethernet1/1 10.97.8.1 (incomplete) ethernet1/1 i 1
Environment
- AWS
- VM-Series
Cause
The interface configuration on the AWS console is not correct.
The ENI card ID does not match the ethernet port ID.
Resolution
Make sure the configuration of the static IP address on the AWS portal is correct.
For example, if the static IP address is configured on ethernet1/2 in the PAN-OS, then the AWS portal should show that same IP address in the ENI configuration with the Device Card ID 2.
Additional Information
Admin Guide About deploying the VM-Series and configuring the ENI in AWS
Other reasons for MAC address incomplete