Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Incomplete ARP and Encapsulation Failed

Having an interesting issue. I am getting an Incomplete ARP:

Internet 0 Incomplete ARPA

All the other IPs in the VLAN1000 are ARPing fine. The .2 is the physical address of an HSRP router. When I run a debug IP packets I can see that encapsulation fails going to .2. Here is that message:

Aug 26 15:17:18.779: IP: s= (Vlan20), d= (Vlan1000), g=, len 60, forward

Aug 26 15:17:18.779: IP: s= (Vlan20), d= (Vlan1000), len 60, encapsulation failed

Anyone seen this before. I know about the cables and such but I guess one other question is, why are packets being sent to .2 instead of the HSRP address of .1.



Hall of Fame Super Silver

Re: Incomplete ARP and Encapsulation Failed

Hello James,

does a ping to be successful from the same device complaining of ARP incomplete?

is the MAC address of the HSRP active router present in the Vlan1000 cam table?

sh mac-address-table vlan 1000

and is the local device speaking any form of routing protocol or it has a static route with next-hop

Hope to help


Community Member

Re: Incomplete ARP and Encapsulation Failed

To both replies,

Ping fails but only because the gateway is a VLAN on a 6500 with a fw module installed.

Show mac-address VLAN 1000 shows the ARP entry in port 17 of the HSRP address (a080 are the last four hex which I believe indicates the virtual mac).

I see other MAC addresses on the same port and they resolve fine. These would be MACs of a some servers and such that are on the same VLAN.

Ok, stupid question time. The access port on the uplink switch is VLAN 252. So basically my port 17 is plugged into a 3750 access vlan 252 port. MY VLAN on port 17 on my 3750 is set to VLAN 1000.

So I guess the question is whether changing my access port to VLAN 252 on this switch would make this go away. I dont want to have to do this as it creates a ton of work for me on the backend (this is a pilot project and I am just trying to connect to the corporate network- the VLAN 1000 contains all my VIPs for my ACE=4710 module which means I would have to reconfigure my switch and a bunch of my 4710 if the fix was to change to VLAN 252).

I am going to go cry now because I think I already know the answer! But please respond to make sure.


Hall of Fame Super Silver

Re: Incomplete ARP and Encapsulation Failed

Hello James,

sorry for the late answer

you have joined two broadcast domains vlan 252 and vlan 1000.

But this shouldn't cause the issue you are seeing.

I guess ACE is inserted in bridged mode between real servers in vlan 252 and virtual servers in vlan 1000.

This is a typical setup also with CSM module

your scenario should look like

MSFC/supervisor --- FWSM -- ACE --- vlan real servers.

Hope to help


Cisco Employee

Re: Incomplete ARP and Encapsulation Failed

Hello James,

If a MAC address of the is unknown then the message "encapsulation failed" is logical - you are not able to construct a frame that would encapsulate your packet and send it to that machine. I don't know this for sure but it is possible that if a router is the Active router in a standby group, it won't reply to ARP queries about its real IP address - that could explain why you cannot see the MAC address of the .2.

You are asking why your packets are sent to .2 instead of .1. The first place to look in is your routing table. I believe that it contains routes whose next hop is .2 and not .1. If the routing table is static then I just suggest correcting the static entries. However, if a dynamic protocol is used then it does not go well with the HSRP. Are there any end stations (PCs, workstations) on the VLAN1000 in your topology, or is it just a transit network?

Best regards,


CreatePlease to create content