Description

This article describes how to troubleshoot the ARP protocol. Before any packet can be sent in Ethernet technologies, the network device should populate its own ARP table.

Scope

FortiGate.

Solution

Windows ARP commands:

Display ARP table:

C:\>arp –a

Interface: 192.168.157.80 --- 0x8

  Internet address       Physical address       Type

  192.168.157.1         00-ff-d9-ba-82-16     dynamic

  192.168.157.2         9c-93-4e-5e-00-38     dynamic

  192.168.157.11        08-5b-0e-5e-92-9e     dynamic

  192.168.157.18        08-5b-0e-08-85-a9     dynamic

 
Delete an ARP Table entry:

C:\> arp -d 192.168.157.2

FortiOS ARP Commands: ARP-and-MAC-addresses-on-FortiGate

Display ARP table:

get system arp

If VDOMs are configured:

config vdom
edit <vdom_name>

get system arp

Clear the ARP Table:

execute clear system arp table

Remove a single ARP entry:

diagnose ip arp delete <interface_name> <IP Address>

Remove all entries associated with a particular interface:

diagnose ip arp flush <interface_name>

Sniffer ARP packets:

To ensure that ARP Packets are being sent and/or received:

diagnose sniffer packet <interface> ‘arp’ 4

For example: 

diagnose sniffer packet any "arp" 4 0 l
2024-08-13 19:18:41.004473 internal out arp who-has 192.168.1.113 tell 192.168.1.99   <- ARP Request packet.
2024-08-13 19:18:41.004487 lan out arp who-has 192.168.1.113 tell 192.168.1.99 <- ARP Request packet.
2024-08-13 19:18:41.005184 lan in arp reply 192.168.1.113 is-at 00:64:72:61:29:02 <- ARP Response packet.
2024-08-13 19:18:41.005193 internal in arp reply 192.168.1.113 is-at 00:64:72:61:29:02 <- ARP Response packet.

In case further checking needs to be done, packet capture of ARP packets can be done to examine the incoming and outgoing traffic. The guide below shows how this can be done via GUI and CLI.

Technical Tip: How to capture ARP traffic using Packet Capture on FortiOS GUI and CLI

If ARP requests are being sent from the FortiGate but no responses are received, consider checking the following points.

• Check the interface counter and verify if packets are being sent out by the firewall. The TX counters should increment.

  fnsysctl ifconfig <interface name>  OR  diagnose hardware deviceinfo nic <interface name>

  fnsysctl ifconfig wan1
  wan1 Link encap:Ethernet HWaddr 04:D5:90:05:DE:5E
  inet addr:10.20.30.56 Bcast:10.20.30.127 Mask:255.255.255.128
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:4831498 errors:0 dropped:0 overruns:0 frame:0
  TX packets:970162 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:1731919962 (1.6 GB) TX bytes:194569216 (185.6 MB) 

• If the peer sends the ARP reply, the RX counters should increase. It is important to note that a faulty cable may create a packet drop issue,  due to which the RX counters may not increment. Replacing a cable and testing is recommended in such scenarios.
• If VLAN interfaces on the FortiGate are used for communication, make sure the peer device is configured with matching tagged VLANs. Otherwise, FortiGate will not be able to create the corresponding ARP entry for the VLAN
• Make sure that if gateways are used, the gateway IP is correctly defined in the static route.
• A mirror or a packet capture on the peer device can be performed to verify if ARP requests are received by it.
• If possible, replace the peer with another device and check if ARP is working.

In case FortiGate does not learn the MAC address, the next method is to add a static ARP entry using the method below:

config system arp-table

Technical Tip: Diagnostic ARP command information