This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EOS)
- Dynamic ARP Inspection too many frame drops due IP...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Dynamic ARP Inspection too many frame drops due IP VALID FAILURE
Dynamic ARP Inspection too many frame drops due IP VALID FAILURE
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-26-2015 07:28 AM
Hello,
We have B5 series switches with enabled DAI and I am always getting these errors:
May 12 08:02:54 10.12.3.114
DAI[170022088]: dai_util.c(592) 289852 This is from manager 1 %% DAI dropped
ARP frame rcvd on i/f ge.1.38 in vlan 50, due to - IP VALID FAILUREMay 12 08:02:54 10.12.3.114 DAI[170022088]: dai_util.c(484) 289853 This is from manager 1 %% DAI: Ethernet header- dest FF:FF:FF:FF:FF:FF, src 00:23:24:7E:07:CD, type/len 0x8100. May 12 08:02:54 10.12.3.114 DAI[170022088]: dai_util.c(535) 289854 This is from manager 1 %% DAI: ARP PKT- op Request, sender mac 00:23:24:7E:07:CD, sender ip 0.0.0.0, target mac 00:00:00:00:00:00, target ip 10.10.1.94Sometimes some ports reach the limit then I get this:
May 12 15:50:44 10.12.3.114 DAI[170022088]: dai_main.c(624) 290697 This is from manager 1 %% DAI Interface ge.1.38 Error-Disabled!! Rate Limit 15 pps with burst interval 1 hit May 12 15:50:44 10.12.3.114 DAI[170022088]: dai_main.c(627) 290698 This is from manager 1 %% User has to bring the interface ge.1.38 up explicitly I changed the rate limit to 30 pps and with this setting the switch doesn't bring down the interface but the logs are keep coming.
I am looking to it what the logs mean and I find out these are DHCP ARP frames for check IP conflict. The question is why drop DAI these frames when they are useful? How can I set the switch to not drop these without turning off the IP validation?
Thanks in advance.
Regards,
Daniel Szigeti
We have B5 series switches with enabled DAI and I am always getting these errors:
May 12 08:02:54 10.12.3.114
DAI[170022088]: dai_util.c(592) 289852 This is from manager 1 %% DAI dropped
ARP frame rcvd on i/f ge.1.38 in vlan 50, due to - IP VALID FAILUREMay 12 08:02:54 10.12.3.114 DAI[170022088]: dai_util.c(484) 289853 This is from manager 1 %% DAI: Ethernet header- dest FF:FF:FF:FF:FF:FF, src 00:23:24:7E:07:CD, type/len 0x8100. May 12 08:02:54 10.12.3.114 DAI[170022088]: dai_util.c(535) 289854 This is from manager 1 %% DAI: ARP PKT- op Request, sender mac 00:23:24:7E:07:CD, sender ip 0.0.0.0, target mac 00:00:00:00:00:00, target ip 10.10.1.94Sometimes some ports reach the limit then I get this:
May 12 15:50:44 10.12.3.114 DAI[170022088]: dai_main.c(624) 290697 This is from manager 1 %% DAI Interface ge.1.38 Error-Disabled!! Rate Limit 15 pps with burst interval 1 hit May 12 15:50:44 10.12.3.114 DAI[170022088]: dai_main.c(627) 290698 This is from manager 1 %% User has to bring the interface ge.1.38 up explicitly I changed the rate limit to 30 pps and with this setting the switch doesn't bring down the interface but the logs are keep coming.
I am looking to it what the logs mean and I find out these are DHCP ARP frames for check IP conflict. The question is why drop DAI these frames when they are useful? How can I set the switch to not drop these without turning off the IP validation?
Thanks in advance.
Regards,
Daniel Szigeti
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-10-2015 11:13 AM
I added an article to the public knowledgebase to assist others in case this issue is seen again
https://gtacknowledge.extremenetworks.com/articles/Solution/Dynamic-Arp-Inspection-drops-Arp-frame-d...
https://gtacknowledge.extremenetworks.com/articles/Solution/Dynamic-Arp-Inspection-drops-Arp-frame-d...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-08-2015 12:14 PM
Ok , so lets summarise:
The packets that are triggering the DAI arp inspection function are actually invalid arp packets since they have source address = 0.0.0.0. The feature is configured to log invalid ip addresses so it is doing what it is configured to do.
A true gratuitous arp packet should still have the source ip address field populated with the devices valid address.
It seems that the packets we are talking about here are probes sent by windows machines to detect duplicate ip address and they use source ip 0.0.0.0 to make sure that no other devices update their cache.
If we get enough of these we can trigger the rate limit and adversely affect traffic
Options :
- Increase the rate limit and burst interval to take account of these packets ( if these packets are getting towards the level of 50pps then there may be other things going on in the network because they should not be that frequent). The downside to this is that you still get the syslogs reporting the violation so have to filter out those logs.
- disable duplicate address detection on the clients
- turn off the optional ip checking but retain the other arp inspection validate options and dhcp snooping ( this retains all other features and rate limiting with no entries in the logs )
- set arpinspection limit to none ( this means that we only report invalid packets in logs and don't action the rate limit - we lose the intended reactive benefit of DAI )
Please let me know if this helps. The only other thing i can suggest is that if you believe that these frames should be allowed we could present a feature request to see if that behaviour can be changed. In order to do that you would need to open a case with Extreme.
Thanks and Best Regards
Glyn
The packets that are triggering the DAI arp inspection function are actually invalid arp packets since they have source address = 0.0.0.0. The feature is configured to log invalid ip addresses so it is doing what it is configured to do.
A true gratuitous arp packet should still have the source ip address field populated with the devices valid address.
It seems that the packets we are talking about here are probes sent by windows machines to detect duplicate ip address and they use source ip 0.0.0.0 to make sure that no other devices update their cache.
If we get enough of these we can trigger the rate limit and adversely affect traffic
Options :
- Increase the rate limit and burst interval to take account of these packets ( if these packets are getting towards the level of 50pps then there may be other things going on in the network because they should not be that frequent). The downside to this is that you still get the syslogs reporting the violation so have to filter out those logs.
- disable duplicate address detection on the clients
- turn off the optional ip checking but retain the other arp inspection validate options and dhcp snooping ( this retains all other features and rate limiting with no entries in the logs )
- set arpinspection limit to none ( this means that we only report invalid packets in logs and don't action the rate limit - we lose the intended reactive benefit of DAI )
Please let me know if this helps. The only other thing i can suggest is that if you believe that these frames should be allowed we could present a feature request to see if that behaviour can be changed. In order to do that you would need to open a case with Extreme.
Thanks and Best Regards
Glyn
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-08-2015 12:14 PM
If I turn off the IP validation the logs stop but I don't want to leave like this this setting permanently. I will test what if I turn off IP conflict detection in Windows clients but we use Windows 8.1 and I'm not sure the linked article below will help. I will write if the test be completed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-04-2015 03:55 AM
Hi Glyn,
Yes this is what I did to workaround the problem. But without DAI shutting down ports, we can not pinpoint users who try to use programs like NetCut without reading logs.
Thanks.
Yes this is what I did to workaround the problem. But without DAI shutting down ports, we can not pinpoint users who try to use programs like NetCut without reading logs.
Thanks.
