ARP entry shows as (incomplete) on self configured interface.
1263
Created On 04/15/25 18:48 PM - Last Modified 01/08/26 17:57 PM
Symptom
- The local IP of the interface is checked for ARP.
- This ARP entry shows incomplete.
- Global Counter display ARP being dropped due to no ARP
flow_fwd_l3_noarp 42 1 drop flow forward Packets dropped: no ARP
- On the bellow output we can see ARP entry for interface configured on the firewall is not getting self resolved:
admin@fw-ha1(active)> show interface ethernet1/1 | match IP address
Interface IP address: 192.168.77.1/30
admin@fw-ha1(active)> show arp ethernet1/1
maximum of entries supported : 2500
default timeout: 1800 seconds
total ARP entries in table : 1
total ARP entries shown : 1
status: s - static, c - complete, e - expiring, i - incomplete
interface ip address hw address port status ttl
--------------------------------------------------------------------------------
ethernet1/1 192.168.77.1 (incomplete) ethernet1/1 i 1 Environment
- Palo Alto Networks Firewalls.
- Supported PAN-OS.
- ARP.
- Static Routing.
Cause
- Misconfigured Static Route.
- The firewall has a next hop configured as the interface IP instead of the correct next-hop.
admin@fw-ha1(active)> show interface ethernet1/1 | match IP
Interface IP address: 192.168.77.1/30admin@fw-ha1(active)> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 192.168.77.1 10 A S ethernet1/1
Resolution
Configure the static route to point to the correct next hop.
Additional Information
Incomplete ARP Entry or Firewall Responds to Every ARP Request on the Network