Skip to main content
JohnDevNet_FTNT
Staff
JohnDevNet_FTNT
Staff
February 6, 2016

Troubleshooting Tip: ARP troubleshooting

  • February 6, 2016
  • 0 replies
  • 42738 views

Description

 

This article describes how to troubleshoot the ARP protocol. Before any packet can be sent in Ethernet technologies, the network device should populate its own ARP table.

Scope

FortiGate.


Solution

 

Windows ARP commands:

Display ARP table:

 

C:\>arp –a

Interface: 192.168.157.80 --- 0x8

  Internet address       Physical address       Type

  192.168.157.1         00-ff-d9-ba-82-16     dynamic

  192.168.157.2         9c-93-4e-5e-00-38     dynamic

  192.168.157.11        08-5b-0e-5e-92-9e     dynamic

  192.168.157.18        08-5b-0e-08-85-a9     dynamic

 
Delete an ARP Table entry:

 

C:\> arp -d 192.168.157.2

 

FortiOS ARP Commands: Technical Tip: ARP and MAC addresses on FortiGate.
 

Display ARP table:

 

get system arp

 

If VDOMs are configured:

 

config vdom
edit <vdom_name>

get system arp


Clear the ARP Table:

 

execute clear system arp table

 

Remove a single ARP entry:

 

diagnose ip arp delete <interface_name> <IP Address>


Remove all entries associated with a particular interface:

 

diagnose ip arp flush <interface_name>


Sniffer ARP packets:

To ensure that ARP Packets are being sent and/or received:

 

diagnose sniffer packet <interface> ‘arp’ 4

 

For example: 


diagnose sniffer packet any "arp" 4 0 l
2024-08-13 19:18:41.004473 internal out arp who-has 192.168.1.113 tell 192.168.1.99   <- ARP Request packet.
2024-08-13 19:18:41.004487 lan out arp who-has 192.168.1.113 tell 192.168.1.99 <- ARP Request packet.
2024-08-13 19:18:41.005184 lan in arp reply 192.168.1.113 is-at 00:64:72:61:29:02 <- ARP Response packet.
2024-08-13 19:18:41.005193 internal in arp reply 192.168.1.113 is-at 00:64:72:61:29:02 <- ARP Response packet.

 

In case further checking needs to be done, packet capture of ARP packets can be done to examine the incoming and outgoing traffic. The guide below shows how this can be done via GUI and CLI.

Technical Tip: How to capture ARP traffic using Packet Capture on FortiOS GUI and CLI

 

If ARP requests are being sent from the FortiGate but no responses are received, consider checking the following points.

 

  • Check the interface counter and verify if packets are being sent out by the firewall. The TX counters should increment.

 

  fnsysctl ifconfig <interface name>  OR  diagnose hardware deviceinfo nic <interface name>

 

  fnsysctl ifconfig wan1
  wan1 Link encap:Ethernet HWaddr 04:D5:90:05:DE:5E
  inet addr:10.20.30.56 Bcast:10.20.30.127 Mask:255.255.255.128
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:4831498 errors:0 dropped:0 overruns:0 frame:0
  TX packets:970162 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:1731919962 (1.6 GB) TX bytes:194569216 (185.6 MB) 

 

  • If the peer sends the ARP reply, the RX counters should increase. It is important to note that a faulty cable may create a packet drop issue,  due to which the RX counters may not increment. Replacing a cable and testing is recommended in such scenarios.

  • If VLAN interfaces on the FortiGate are used for communication, make sure the peer device is configured with matching tagged VLANs. Otherwise, FortiGate will not be able to create the corresponding ARP entry for the VLAN

  • Make sure that if gateways are used, the gateway IP is correctly defined in the static route.

  • A mirror or a packet capture on the peer device can be performed to verify if ARP requests are received by it.

  • If possible, replace the peer with another device and check if ARP is working.

 

In case FortiGate does not learn the MAC address, the next method is to add a static ARP entry using the method below:

 

config system arp-table

    edit  1
        set interface internal
        set ip 192.168.1.113
        set mac 00:64:72:61:29:02

end

 

Another diagnostic command that can be used:

 

diagnose ip arp list

 

This command provides a detailed view of the FortiGate ARP cache, including interface information, neighbor IP/MAC mapping, ARP state, and timer/reference counters. This makes it especially useful for checking whether an entry is REACHABLE, STALE, or FAILED, and for identifying cases where ARP entries persist longer than expected. STALE entries can remain in the table on some platforms until the ARP cache reaches the configured threshold. More details regarding this behavior are provided in Technical Tip: Persistent STALE ARP entries observed on FortiGate devices.

 

Related articles:

Terms & ConditionsAccessibility statement