Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2403
Views
0
Helpful
1
Replies

Clear ARP to connect

rbirkeland
Level 1
Level 1

‎05-08-2013 01:07 PM - edited ‎03-07-2019 01:15 PM

I have an interesting ARP issue.

We have two Palo Alto firewalls in HA pair -PAN1 & PAN2. They are connected to two different 3560 switches that are trunked together (PAN1 to SW1 & PAN2 to SW2). One switch is connected (dot1Q) to a 2851 router going to the internal network. The problem is you can ping PAN2 from anywhere in the network but you can't putty or web to it. Once I clear the ARP on the router then I can connectect to PAN2. PAN1 doesn't have this issue and is the active FW in the HA pair.

I found that ARP tables in both devices (PAN2 of the HA pair and our Cisco router) were valid. There didn’t appear to be any issue as both had complete ARPs of each other.

The ARP timeout on the Cisco router is 4 hours and the timeout for the PAN 3020 is 1800 seconds or 30 minutes. Given that the ARP timeout for the PAN is shorter I decided to do some testing during that 30 minute span. As I was testing I noticed that if I tried to reconnect to PAN2 via putty on regular intervals between two and ten minutes I was able to connect successfully. Then I decided to leave the PAN2 alone for the 30 minute ARP timer duration and then reissue a putty session as soon as the timer expired & renewed itself. It turns out that I could not reconnect via putty without refreshing the ARP on the router.

I then left the PAN2 alone again for at least 30 minutes so the ARP timer would expire/refresh. From a console cable to PAN2 I cleared the ARP on ethernet1/3 and retried connecting from my desktop using putty. No connection. It exhibited the same symptoms as before where you can ping PAN2 but not connect. I then pinged the Cisco router from PAN2 successfully but nothing new in the ARP regarding the router. The only way I could reconnect to PAN2 was to clear the ARP on the router. Interestingly enough there was still nothing in the PAN2 ARP table for the router until about 5 minutes expired after I was connected via putty.

Palo Alto says its a network issue but I think it's an ARP issue on their FW.

Any ideas on what I can try or anyone have this issue with PAN?

Thanks,

Rolf

Labels:
0 Helpful
1 Reply 1

Markus.Tengler
Level 1
Level 1

‎08-20-2014 12:58 PM

Hello Rolf, Did you solve this problem? I have nearly the same issue. 4 routers but only three could reach the PAN. After clearing ARP on the affected router it works.
0 Helpful
Customers Also Viewed These Support Documents