Firewall Lost ARP entry After Virtual Server Migration

We are in the process of decommissioning our old Big-IP 3600 LTMs. We are replacing them with new BIG-IP 4200 LTMs. We are moving active production virtual servers off the old LTMs and on to the new LTMs. We moved one particular virtual server to the new LTMs, but had to roll it back to the old LTMs due to an unexpected proxy outage not related to our migration. The configuration on the new LTM was only disabled. The state was changed to ?disabled,? the virtual address was modified so it would not accept any traffic, and ARP was disabled on both Virtual Address and SNAT Translation Address.

The migration was attempted again and our application team confirmed everything was working as normal. We were running a tcpdump on the virtual server address on old LTM and new LTM; to confirm traffic was being sent to the new LTM. Traffic was indeed going to the new LTM.

Couple days later, the application team reported their URL stopped working. Upon investigation, we performed a tcpdump on the virtual address on the new LTM to see what was going on. The tcpdump revealed our firewall sending ARP requests, but the new LTM was not responding to them. The firewall did not know what device the IP address lived. We reviewed the LTM configuration on the new LTM and found the ARP setting was unchecked for the virtual server address in the virtual server address list. Once the ARP setting was enabled, the firewall learned the device and was able to send traffic to the virtual IP.

What we would like to know is the following:

How did the firewall learn the new LTM the virtual IP resides during the night of the virtual server migration? We suspect the firewall learned the new LTM by the IP address in the SNAT translation list since that was the only component that had ARP enabled, but we?d like confirmation on your end.
If the firewall learned the new LTM by the IP address in the SNAT translation list, and not by the virtual server IP address (Virtual Address List), why did the new LTM not respond to the firewall?s ARP requests?

We just want to understand how the firewall was able to learn the virtual address lived on the new LTM if the ARP setting for the virtual address in the Virtual Address List was disabled.

application delivery

BIG-IP

LTM

Forum Discussion

Firewall Lost ARP entry After Virtual Server Migration

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

iRule causing requests to be duplicated (sometimes)

SSL Bridging and FQDN rewrite Policy

How can I get started with iCall

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Could not communicate with the system. Try to reload page.

Related Content

VMware vSphere to OpenShift Virtualization Migration with F5 BIG-IP

VMware NSX to Red Hat OpenShift Virtualization Migration with F5 Distributed Cloud

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

Seamless Application Migration to OpenShift Virtualization with F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS