Technical Tip: Excessive ARP traffic in FortiGate - understanding and mitigating unwanted ARP requests

Umer221 · ‎11-30-2023

Description

This article describes why too many ARP requests may be seen in FortiGate, and explains how to avoid excessive ARP requests.

Scope

FortiOS, FortiGate.

Solution

Refer to Troubleshooting Tip ARP troubleshooting to troubleshoot ARP.
If there are ARP entries for devices which do not belong to the network any more, and ARP requests an excess, the following occurs:

Explanation:

This occurs when a few devices occasionally disconnect from the network before closing their open TCP sessions. The FortiGate will continue to probe these devices until the session time-to-live runs out. Since the device is not on the network, the device is removed from the FortiGate ARP table. This results in every probe from the FortiGate sending an ARP request because it is no longer in the ARP table. The default session TTL is 60 minutes and the default ARP reachable time is 30 seconds. This means it is possible to receive large volumes of ARP requests for about an hour for each device that has sessions open but is unreachable.

Solution:

Lower the default session TTL and/or increase the ARP reachable time on the FortiGate. Doing so will prevent the client from being dropped from the ARP table before the session TTL runs out, thereby reducing ARP spam.

However, it is advised to take care to avoid affecting the network's overall performance and safety with these changes.

Additionally, clear the ARP table to resolve this issue by running the following command:

Clear all of the ARP table:

execute clear system arp table