Skip to main content
edyrmishi
Staff
edyrmishi
Staff
March 12, 2026

Technical Tip: Persistent STALE ARP entries observed on FortiGate devices

  • March 12, 2026
  • 0 replies
  • 567 views
Description This article describes a scenario where the automatic removal of ARP entries from the ARP table is not performed, even when very high 'Age' values are reached. This behavior is typically observed on FortiGate hardware platforms that utilize Linux kernel 4.19, where the garbage collection process is governed by specific entry thresholds.
Scope FortiGate devices utilizing Linux kernel 4.19.
Solution

In certain network environments, ARP entries are observed to remain in the table for an extended duration, even when the associated hosts are no longer active. When the ARP table is inspected, entries with an 'Age' of several thousand minutes may be found.

 

  1. Verification of ARP Age.

High age values are identified when the following command is executed:

 

FGT# get system arp
Address Age(min) Hardware Addr Interface
192.168.10.25 14520 00:09:0f:aa:bb:cc vlan10
10.0.5.100 32100 00:09:0f:11:22:33 port1
172.16.1.50 128450 00:09:0f:44:55:66 vlan10

 

  1. Analysis of ARP State.

 

To determine why these entries are not purged, the underlying state must be examined. The following diagnostic command is utilized for this purpose:

 

FGT# diagnose ip arp list
index=5 ifname=vlan10 192.168.10.25 00:09:0f:aa:bb:cc state=00000004 use=14520 confirm=15000 update=14520 ref=0

 

Normally, an ARP cache entry in the STALE (0x04) or FAILED (0x20) state with no active references (ref=0) can be removed from the ARP cache through the garbage collection process. This process runs every 30 seconds and scans the cache for entries that have remained stale, failed, or unreferenced for more than 60 seconds, removing them when found.

 

  1. Kernel Behavior and Garbage Collection Logic.

The persistence of these STALE entries is explained by the logic introduced in Linux kernel 4.19. In this kernel version, STALE ARP entries are not automatically removed by the garbage collection process every 30 seconds unless the total number of entries in the table exceeds the configured threshold.

 

If the table size remains below the threshold, these entries are retained indefinitely. This differs from older kernel versions (such as 3.10), where STALE entries are purged regardless of the total table count.


The kernel version of a device is confirmed by the following CLI command:

 

FGT # fnsysctl cat /proc/version
Linux version 4.19.13 ...

 

  1. Adjustment of the ARP Threshold.

If the removal of these entries is required by the administrator, the garbage collection threshold is modified via the following global configuration:

 

config system global
    set arp-max-entry <integer>
end

 

By default, STALE entries are kept in the table until the arp-max-entry value is reached. This is considered expected behavior for platforms utilizing this kernel and does not indicate a software defect.
      Terms & ConditionsAccessibility statement