On occasion I will have to clear the ARP cache on a 6500 when a customer swapeeds out a firewall or firewall NIC. The ARP cache will show the MAC of the previous device and will not update until either the ARP table refreshes dynamically (currenty at default time) or it is cleared manually.
Sometimes I need to clear it manually and sometimes is is refreshed dynamically when the new device comes up. Inconsistant issue....
Under what circimstances will an ARP entry NOT be refreshed when a firewall or firewall NIC is swapped out.
If you are using private vlans , arp entries will be sticky , which means when the ip address remains same , but mac changes , arp will not be refreshed.
You can configure the following global command if you are using private vlans.
no ip sticky-arp
or you can configure it on a per vlan basis.
ip sticky-arp ignore
If you do not have private vlans , and still the arp is not being updated , then its just the fact that the new firewall is not sending gratuitous arp.
I'll have to try that on my core switches.
I've been having a similar issue in which contractors were replacing HVAC controllers at many of my sites with newer models. They used the same IP addresses on them and had the same problem...they couldn't even ping them. I would have to flush the arp-cache on the core switches to resolve the issue. I will have to try the "ip sticky-arp ignore" command...