Cannot delete "incomplete" device from arp table.



  • I have two devices in my arp table that use to be a static IP but since moved them. They keep showing up in the arp table as "incomplete". I delete them and they come right back after a bit.

    Is there a way to remove them?



  • Are those devices still on the network?



  • Yes they are. They are my Unifi AP's. I changed the static IP from 192.168.1.10 and 192.168.1.11 to 192.168.1.5 and 192.168.1.6

    0_1548958349548_9a24e792-f5f0-4632-973c-43b1f0b97c99-image.png



  • The arp incomplete means that an arp request has been sent, but received no reply. So, something must be trying to reach those addresses. If that arp incomplete appears in the pfSense computer, then that arp request came from it, either on it's own or on behalf of something trying to communicate through the router.



  • Okay. Is it possible if I added those devices and edit the static mapping and checked the "Create an ARP Table Static Entry for this MAC & IP Address pair" box at that time. Would that be causing it?



  • @dayve said in Cannot delete "incomplete" device from arp table.:

    Okay. Is it possible if I added those devices and edit the static mapping and checked the "Create an ARP Table Static Entry for this MAC & IP Address pair" box at that time. Would that be causing it?

    I don't know about that, but making an arp request would. It has nothing to do with static mapping, but with pfSense, or something routing through it, trying to reach that address. If you no longer use static maps, then you're either using plain DHCP or static config. If static, do they have the same address as before? If DHCP, then they would have different addresses from previous.



  • @jknott I'm using Static and changed the IP's in the DHCP Static Mappings to new IP's.

    192.168.1.10 got changed to 192.168.1.5
    192.168.1.11 got changed to 192.168.1.6

    0_1548965250019_5d96327c-aea4-45f3-9888-f10787f3b5b0-image.png

    Edit: My DHCP range is 192.168.1.100 to 192.168.1.199



  • That still doesn't answer the question of whether some device is trying to reach those addresses. Arp requests are only generated when there is some attempt to reach an IP address. The ARP request is received by all devices and the one with the matching IP address responds. So, if you're seeing incompletes, then pfSense or something routed by it is trying to reach those addresses. Fire up the pfSense Packet Capture on the LAN interface, to see the ARP request go out. Also, items in the ARP cache are deleted after a period of time, so the requests have to be going out fairly frequently, if those addresses are always listed.

    BTW, why are you hiding the MAC addresses? They'll never be seen or be reachable from anywhere other than the local network. There is absolutely no risk of someone trying to use them to attack your network.



  • @jknott Thanks for your help. I know nothing about this. Here is a capture showing 192.168.1.11. Does this help?

    0_1548973306741_54d88f89-47e3-4670-924a-630da04cc12d-image.png



  • @dayve said in Cannot delete "incomplete" device from arp table.:

    Here is a capture showing 192.168.1.11. Does this help?

    Yes. It shows an ARP request from 192.168.1.1, which is your pfSense firewall. That means either it or some device being routed by it are trying to reach that 192.168.1.11. Are there any other local LANs connected to it? It would not be coming from the WAN interface.



  • @jknott I don't have any other LANs that I know of. There is a Unifi controller for my AP's and US 24 switch. Could it be something to do with it? I thinking on shutting the controller down to see if that works.

    Sorry I'm grasping at straws.



  • @dayve said in Cannot delete "incomplete" device from arp table.:

    Could it be something to do with it?

    No. If those are in the pfSense ARP cache, then the requests can only have come from pfSense, either on it's own, or as a result of routing from another network. Since you've ruled out other networks, it has to be from pfSense.



  • @jknott I'm not going to jump the gun but I think I found it. I'm using Home Assistant for my home automation and inside it I have setup trackers for devices. I ping the devices and if they do not respond I send a message to my phone telling which device is down. In my code I was still pinging those old IP's.

    Lets hope that was it. Thank you so much for your help.


Log in to reply