Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Patterson
Staff
Staff

Created on ‎08-11-2024 05:37 AM

Article Id 332067

Technical Tip: How to Troubleshoot 'No ARP Reply for VIP or IP Pool IP'

Description

 

This article describes troubleshooting when there is no ARP reply for a VIP or IP pool IP.

 

Scope

 

FortiOS v7.0 and above.

 

Solution

 

Imagine a scenario where having configured a new VIP or IP pool, or modified an existing one. After making the configuration changes, the FortiGate (FGT) has not responded to ARP requests for the associated IPs.

 

This issue is often caused by the 'arp-reply disable' setting under the VIP/IP Pool or if the service is disabled.

 

config firewall vip
    edit <name>
        set arp-reply enable
    next
end

 

config firewall ippool
    edit <>
        set arp-reply enable
    next
end

 

Alternatively, the issue might be related to the iplist table not being updated.

 

Below is a use case where there was no reply to ARP after disabling and re-enabling one of the VIP services on the lab test scenario.

 

The iplist table will be updated once toggling the ARP reply setting or switch the external interface from a specific interface to 'any'.

 

10.57.16.46 is the external IP associated with VIP in FortiGate.

10.57.16.16 is the user's IP.


Before:

 

Lab-FGT # diagnose sniffer packet port1 "arp" 4 100 a
interfaces=[port1]
filters=[arp]
2024-08-02 08:31:49.900013 port1 -- arp who-has 10.57.16.1 tell 10.57.16.16
2024-08-02 08:31:49.911403 port1 -- arp reply 10.57.16.1 is-at 00:67:72:61:37:01
2024-08-02 08:31:50.159032 port1 -- arp who-has 10.57.16.46 tell 10.57.16.16
2024-08-02 08:31:50.800398 port1 -- arp who-has 10.57.16.46 tell 10.57.16.46
2024-08-02 08:31:51.150012 port1 -- arp who-has 10.57.16.46 tell 10.57.16.16
2024-08-02 08:31:52.150013 port1 -- arp who-has 10.57.16.46 tell 10.57.16.16
2024-08-02 08:31:53.171390 port1 -- arp who-has 10.57.16.46 tell 10.57.16.16
2024-08-02 08:31:54.180013 port1 -- arp who-has 10.57.16.46 tell 10.57.16.16


Lab-FGT # diagnose firewall iplist list | grep 10.57.16.46

 


After:

 

Lab-FGT #

Lab-FGT # diagnose sniffer packet port1 "arp" 4 100 a
interfaces=[port1]
filters=[arp]
2024-08-02 08:35:31.900091 port1 -- arp who-has 10.57.16.46 tell 10.57.16.46
2024-08-02 08:35:36.062096 port1 -- arp who-has 10.57.16.46 (00:09:0f:09:0a:02) tell 10.57.16.1
2024-08-02 08:35:36.062103 port1 -- arp reply 10.57.16.46 is-at 00:09:0f:09:0a:02
2024-08-02 08:35:36.903599 port1 -- arp who-has 10.57.16.46 tell 10.57.16.46
^C
5 packets received by filter
0 packets dropped by kernel

 

Lab-FGT # diagnose firewall iplist list | grep 10.57.16.46
dev=48 devname=port1 type=2 used=1 ip range=10.57.16.46-10.57.16.46

 

 

Related articles: 

Technical Tip: How to configure SNAT with IP pool

Technical Tip: Virtual IP (VIP) port forwarding configuration

Labels:
913
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.