Dynamic ARP Inspection too many frame drops due IP VALID FAILURE

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Hello,

We have B5 series switches with enabled DAI and I am always getting these errors:

May 12 08:02:54 10.12.3.114
DAI[170022088]: dai_util.c(592) 289852 This is from manager 1 %% DAI dropped
ARP frame rcvd on i/f ge.1.38 in vlan 50, due to - IP VALID FAILURE
May 12 08:02:54 10.12.3.114
DAI[170022088]: dai_util.c(484) 289853 This is from manager 1 %% DAI: Ethernet
header- dest FF:FF:FF:FF:FF:FF, src 00:23:24:7E:07:CD, type/len 0x8100.
May 12 08:02:54 10.12.3.114
DAI[170022088]: dai_util.c(535) 289854 This is from manager 1 %% DAI: ARP PKT-
op Request, sender mac 00:23:24:7E:07:CD, sender ip 0.0.0.0, target mac
00:00:00:00:00:00, target ip 10.10.1.94
Sometimes some ports reach the limit then I get this:
May 12 15:50:44 10.12.3.114
DAI[170022088]: dai_main.c(624) 290697 This is from manager 1 %% DAI Interface
ge.1.38 Error-Disabled!! Rate Limit 15 pps with burst interval 1 hit
May 12 15:50:44 10.12.3.114
DAI[170022088]: dai_main.c(627) 290698 This is from manager 1 %% User has to
bring the interface ge.1.38 up explicitly
I changed the rate limit to 30 pps and with this setting the switch doesn't bring down the interface but the logs are keep coming.

I am looking to it what the logs mean and I find out these are DHCP ARP frames for check IP conflict. The question is why drop DAI these frames when they are useful? How can I set the switch to not drop these without turning off the IP validation?

Thanks in advance.

Regards,
Daniel Szigeti
Photo of Daniel Szigeti

Daniel Szigeti

  • 174 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Rahman Duran

Rahman Duran

  • 60 Points
I am also seeing this. Any idea how to solve it?
Photo of Straw, Glyn

Straw, Glyn, Employee

  • 2,092 Points 2k badge 2x thumb
Hi Daniel, 

Without seeing your configs it seems that you have configured DAI with the optional ARP inspection validate command for ip address checking.

When this option is enabled, DAI drops ARP packets with an invalid IP address. The following IP addresses are considered invalid:

• 0.0.0.0
• 255.255.255.255
• All IP multicast addresses
• All class E addresses (240.0.0.0/4)

From the error shown it seems that the source ip address is 0.0.0.0 and hence is considered invalid and dropped as per the configuration. The feature seems to be doing what it is configured to do. If this were a standard dhcp discover packet i would not expect it to be dropped but i dont think that is the case here.

If you turn off the optional ip checking but retain the other arp inspection validate options this would stop it but the option is fixed about what it considers as an invalid ip address.

Did you say this is from the dhcp server can that be configured to send with a valid source ip address ?

Does my understanding of what you have sound correct to you? If not it may be a good idea to open a case with us so that we can review your configs and logs in more depth and assist you further 

Best Regards
Glyn
Photo of Daniel Szigeti

Daniel Szigeti

  • 174 Points 100 badge 2x thumb
Thanks for your reply.
On the interface ge.1.38 we have a PC. The DHCP clients check for IP conflict in the network as Rahman said. The problem is, in these packets, the sender IP is 0.0.0.0 and the IP validation consider this invalid. We will consider to disable this feature in Windows clients if I don't get any other solution.
Photo of Rahman Duran

Rahman Duran

  • 2,012 Points 2k badge 2x thumb
Hi,

I my situation dhcp clients sends the arp packet not dhcp server. As I understand it is called https://wiki.wireshark.org/Gratuitous_ARP and it seems windows os uses it to detect ip conflicts and you can also disable it https://support.microsoft.com/en-us/kb/219374?wa=wsignin1.0.

I don't care if the packets dropped by DAI as dropping them has no negative effect. But the problem is I needed to disable DAI rate limiting completely. Because even the max limit on A4H 50 pps switch disabled some of client ports.
Photo of Straw, Glyn

Straw, Glyn, Employee

  • 2,092 Points 2k badge 2x thumb
Hi Rahman, 

Did you try using the command "set arpinspection limit" and set it to "none" ? I think this should achieve that ?

Best Regards
Glyn
Photo of Rahman Duran

Rahman Duran

  • 2,012 Points 2k badge 2x thumb
Hi Glyn,

Yes this is what I did to workaround the problem. But without DAI shutting down ports, we can not pinpoint users who try to use programs like NetCut without reading logs.

Thanks.
(Edited)
Photo of Straw, Glyn

Straw, Glyn, Employee

  • 2,092 Points 2k badge 2x thumb
Ok , so lets summarise:

The packets that are triggering the DAI arp inspection function are actually invalid arp packets since they have source address = 0.0.0.0. The feature is configured to log invalid ip addresses so it is doing what it is configured to do. 

A true gratuitous arp packet should still have the source ip address field populated with the devices valid address. 

It seems that the packets we are talking about here are probes sent by windows machines to detect duplicate ip address and they use source ip 0.0.0.0 to make sure that no other devices update their cache. 

If we get enough of these we can trigger the rate limit and adversely affect traffic

Options :

- Increase the rate limit and burst interval to take account of these packets ( if these packets are getting towards the level of 50pps then there may be other things going on in the network because they should not be that frequent). The downside to this is that you still get the syslogs reporting the violation so have to filter out those logs.

- disable duplicate address detection on the clients 

- turn off the optional ip checking but retain the other arp inspection validate options and dhcp snooping ( this retains all other features and rate limiting with no entries in the logs )

- set arpinspection limit to none  ( this means that we only report invalid packets in logs and don't action the rate limit - we lose the intended reactive benefit of DAI )

Please let me know if this helps. The only other thing i can suggest is that if you believe that these frames should be allowed we could present a feature request to see if that behaviour can be changed. In order to do that you would need to open a case with Extreme.

Thanks and Best Regards
Glyn
Photo of Daniel Szigeti

Daniel Szigeti

  • 174 Points 100 badge 2x thumb
If I turn off the IP validation the logs stop but I don't want to leave like this this setting permanently. I will test what if I turn off IP conflict detection in Windows clients but we use Windows 8.1 and I'm not sure the linked article below will help. I will write if the test be completed.
Photo of Straw, Glyn

Straw, Glyn, Employee

  • 2,092 Points 2k badge 2x thumb
I added an article to the public knowledgebase to assist others in case this issue is seen again 

https://gtacknowledge.extremenetworks.com/articles/Solution/Dynamic-Arp-Inspection-drops-Arp-frame-due-IP-VAILD-FAILURE-with-Source-Address-0-0-0-0