Description
This article describes how a FortiGate will behave when it receives a Gratuitous ARP.
Scope
FortiGate.
Solution
When the FortiGate is in NAT mode, the behavior will differ according to ARP entry state.
- A corresponding ARP entry exists in the table.
In this case, the FortiGate will update the entry with the new MAC address as informed by gratuitous ARP.
FG1K2D-2 # get sys arp
Address Age(min) Hardware Addr Interface
10.115.1.15 1 00:00:5e:00:01:7e port17
172.31.19.254 0 00:09:0f:09:32:12 mgmt1
FG1K2D-2 # diagnose sniffer packet port17 '' 4 a
interfaces=[port17]
filters=[]
12.506147 port17 -- arp reply 10.115.1.15 is-at 0:0:5e:0:1:7a
23.647347 port17 -- arp reply 10.115.1.15 is-at 0:0:5e:0:1:7a
FG1K2D-2 # get sys arp
Address Age(min) Hardware Addr Interface
10.115.1.15 1 00:00:5e:00:01:7a port17
172.31.19.254 0 00:09:0f:09:32:12 mgmt1
-
The FortiGate receives a Gratuitous ARP that does not correspond to any entry in the ARP table: the FortiGate will ignore such GARP packets and will not populate the ARP table.
-
The FortiGate sends an ARP request and, within the next 5 minutes, receives a GARP that corresponds to the IP requested:
This GARP packet will be taken into account. The FortiGate does not make a difference between a directed ARP reply and GARP.
Related articles:
Technical Tip: How gratuitous ARP behaves on FGCP HA failover
Technical Tip: Fine tune the HA cluster failover times
Troubleshooting Tip: FortiGate HA link-failed-signal and switching MAC address tables
