[BUG] ARP records from Palo Alto firewalls keep getting closed and re-opened

[lunkwill42]

Describe the bug

As reported by NAV user Mehmet E. Şahin on the nav-users mailing list in June 2024, any ARP record created by the recently added Palo Alto ARP plugin seems to get automatically closed after only 20 minutes, and then re-added again at a later time.

While my preliminary analysis at the time was that regular arp.py plugin and the paloaltoarp.py plugin might be stepping on each others toes, so to speak, when the user's data attached data is examined more closely, the interval is not as regular as 20 minutes. It seems more random, and reminds me of #2910.

NAV did have a bug where ARP records were getting prematurely closed every time a ping response was missed from a router, but the user reported running NAV 5.10.2, which featured a fix for this exact problem.

This warrants further research.

To Reproduce

Reproducible only by having access to an actual Palo Alto firewall.

Expected behavior

Records

Screenshots

This is the screenshot attached by the user on the public mailing list:

Environment (please complete the following information):

• NAV version installed: 5.10.2

Additional context

None yet.

[lunkwill42]

The original analysis does seem to hold up when studying the arp plugin code again. The plugin does a full processing of ARP records, marking open and missing ARP records for closure. This would mean that when it runs on a Palo Alto device, it will not find any ARP records using SNMP, and end up closing all the ones opened by the paloaltoarp plugin. However, the paloaltoarp plugin will run immediately after and make the same kind of sweeping changes based on what it found through the API.

It is uncertain how the two plugins ultimately end up affecting each other. The original reporter says records are collected every 20 minutes, but the ip2mac ipdevpoll jobb is configured by default to run only every 30 minutes, so unless they changed the interval in ipdevpoll.conf, it is not entirely clear why the observed intervals do not match up with 30 minutes.

[lunkwill42]

It is uncertain how the two plugins ultimately end up affecting each other. The original reporter says records are collected every 20 minutes, but the ip2mac ipdevpoll jobb is configured by default to run only every 30 minutes, so unless they changed the interval in ipdevpoll.conf, it is not entirely clear why the observed intervals do not match up with 30 minutes.

The user has clarified that they have actually changed the job interval to 20 minutes.