Attached a PCAP trace I did a while ago already. Behaviour is still the same now and I can reproduce it any time.
The PCAP is a merged PCAP taken on the office firewall and the target host.
Target host is 192.168.44.83, ex4200 is 192.168.44.8 (Vlan20, 192.168.44.0/23).
Test is a ssh to target host. You can see the TCP syn going out on the office firewall triggering an immediate ARP broadcast. Then you see the "duplicate" TCP SYN. Wireshark then interprest the double packets in the merged PCAP as "out-of-order".
Command to capture were:
- On the target host 192.168.44.83:
tshark -i eth1 -w x.pcap host 192.168.41.91 or arp - On the office firewall (where my workstation is connected to):
tshark -i eth0.5 -w y.pcap -f "host 192.168.44.83"
>What is the time taken for 1st ping from vlan.20 to vlan 20 host after clear arp?
I'm not sure if I got the question. The packet never arrives. So it would be infinite. Only the first retransmitted packet from the source arrives on the target.
This does NOT happen on a non-vrf interface vlan.6 on sw2e.
schoberw@sw2e> clear arp interface vlan.6 hostname a.b.c.34
a.b.c.34 deleted
{master:0}
schoberw@sw2e> show arp interface vlan.6
MAC Address Address Name Interface Flags
00:0c:c6:79:d5:91 a.b.c.33 box1.domain.name vlan.6 none
{master:0}
=> No ARP there.
Do the ping on s3 to .34:
root@s3:~# ping a.b.c.34 PING a.b.c.34 (a.b.c.34) 56(84) bytes of data. 64 bytes from a.b.c.34: icmp_req=1 ttl=252 time=29.9 ms 64 bytes from a.b.c.34: icmp_req=2 ttl=252 time=1.00 ms
=> First Ping is NOT lost.
schoberw@sw2e> show arp interface vlan.6
MAC Address Address Name Interface Flags
00:0c:c6:79:d5:91 a.b.c.33 box1.domain.name vlan.6 none
00:24:14:17:f1:19 a.b.c.34 a.b.c.34 vlan.6 none
Total entries: 2
{master:0}