Symptom

A Catalyst 9300 switch may not punt a Gratuitous ARP packet to the CPU. This results in ARP entries not updating if the MAC address changes for the IP, resulting in black-holing of traffic The G-ARP packet can be observed via embedded packet capture utility on the interface where it is received but is not observed in a FED punt debug indicating the packet is not sent to the CPU

Conditions

G-ARP packet coming in L2 interface when MAC address is different from current ARP entry MAC address This can be observed when multiple devices share a virtual IP in an active/standby setup and rely on G-ARP to update the MAC on the ARP entry when failovers are performed This behavior has been observed on 17.6.4

Workaround

Clear ARP entry manually Lower ARP timeout on L3 interface to an acceptable value to force the entry to age out faster and trigger a new ARP request/reply Default aging timer is 4 hours but can be significantly lowered if required

Further Problem Description