AWS virtual firewall cannot get ARP and remote MAC address is incomplete

AWS virtual firewall cannot get ARP and remote MAC address is incomplete

1257
Created On 06/13/24 07:08 AM - Last Modified 06/13/24 07:40 AM


Symptom


This may happen in case of deploying a brand new firewall or in case of restoring a backup.
The AWS VM-Series firewall is configured with a static IP address and it cannot reach its default gateway.
The AWS VM-Series firewall CLI shows the remote device MAC address as 'incomplete'

> show arp all
maximum of entries supported :      2500
default timeout:                    1800 seconds
total ARP entries in table :        1
total ARP entries shown :           1
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl
--------------------------------------------------------------------------------
ethernet1/1       10.97.8.1    (incomplete)      ethernet1/1         i      1

    Environment


    • AWS
    • VM-Series

    Cause


    The interface configuration on the AWS console is not correct.
    The ENI card ID does not match the ethernet port ID.

    Resolution


    Make sure the configuration of the static IP address on the AWS portal is correct.
    For example, if the static IP address is configured on ethernet1/2 in the PAN-OS, then the AWS portal should show that same IP address in the ENI configuration with the Device Card ID 2.

    Additional Information


    Admin Guide About deploying the VM-Series and configuring the ENI in AWS
    Other reasons for MAC address incomplete
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scMDCAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language