Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Why am I unable to clear the ARP entry on the ASIC ?

0

0

Article ID: KB15891 KB Last Updated: 22 Jun 2010Version: 4.0
Summary:
'clear arp' does not clear the ARP entry on the ASIC.
Symptoms:
When you do a 'clear arp' the ARP entry on the ASIC is not clearing.  You may see something like the following :

enterprise-fw1(M)-> get arp asic 0 | in 10.10.10.247
12386 10.10.10.247 0014c2c0dd79 eth1/3.4 0010dbff6090 130 0 0x6 14;


Solution:
The problem is actually the session count. The last number on the ARP table list is the number of sessions still referenced by this entry. The entry can not be cleared if that value is greater than 0.  In this case, it is "14".

enterprise-fw1(M)-> get arp asic 0 | in 10.10.10.247
12386 10.10.10.247 0014c2c0dd79 eth1/3.4 0010dbff6090 130 0 0x6 14;


Search the session table for IP 10.10.10.247. There should be 14 entries.
If there are 14 entries, the problem is likely the customer's network. Track down the entries and determine why they are still being kept alive in the firewall.
If there are not 14 entries, the problem is likely the firewall not appropriately tracking the session reference value in the ARP table.

Notice the ARP flag of "0x6".  The ASIC ARP entry with flag 0x6 is MAC-cache related entry.   It is caused by arp lookup failure when installing the session.   The session will try to use the source MAC address of incoming packet, but it is not necessary for using this mac address.  We can get the MAC address when the reply packet arrives by sending an ARP packet to the source host.


So as a workaround, use the command "set flow reverse-route clear-text always" , then reset the firewall. The the duplicate ASIC ARP entry will never happen.  This command will disable MAC caching on the ASIC.

This issue is also fixed in a patch based on 6.0.0r7 which is 6.0.0r7-is1.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search