Showing results for 
Search instead for 
Did you mean: 

Dynamic ARP Inspection too many frame drops due IP VALID FAILURE

Dynamic ARP Inspection too many frame drops due IP VALID FAILURE

New Contributor II

We have B5 series switches with enabled DAI and I am always getting these errors:

May 12 08:02:54
DAI[170022088]: dai_util.c(592) 289852 This is from manager 1 %% DAI dropped
ARP frame rcvd on i/f ge.1.38 in vlan 50, due to - IP VALID FAILUREMay 12 08:02:54 DAI[170022088]: dai_util.c(484) 289853 This is from manager 1 %% DAI: Ethernet header- dest FF:FF:FF:FF:FF:FF, src 00:23:24:7E:07:CD, type/len 0x8100. May 12 08:02:54 DAI[170022088]: dai_util.c(535) 289854 This is from manager 1 %% DAI: ARP PKT- op Request, sender mac 00:23:24:7E:07:CD, sender ip, target mac 00:00:00:00:00:00, target ip some ports reach the limit then I get this:
May 12 15:50:44 DAI[170022088]: dai_main.c(624) 290697 This is from manager 1 %% DAI Interface ge.1.38 Error-Disabled!! Rate Limit 15 pps with burst interval 1 hit May 12 15:50:44 DAI[170022088]: dai_main.c(627) 290698 This is from manager 1 %% User has to bring the interface ge.1.38 up explicitly I changed the rate limit to 30 pps and with this setting the switch doesn't bring down the interface but the logs are keep coming.

I am looking to it what the logs mean and I find out these are DHCP ARP frames for check IP conflict. The question is why drop DAI these frames when they are useful? How can I set the switch to not drop these without turning off the IP validation?

Thanks in advance.

Daniel Szigeti

Extreme Employee
I added an article to the public knowledgebase to assist others in case this issue is seen again

Extreme Employee
Ok , so lets summarise:

The packets that are triggering the DAI arp inspection function are actually invalid arp packets since they have source address = The feature is configured to log invalid ip addresses so it is doing what it is configured to do.

A true gratuitous arp packet should still have the source ip address field populated with the devices valid address.

It seems that the packets we are talking about here are probes sent by windows machines to detect duplicate ip address and they use source ip to make sure that no other devices update their cache.

If we get enough of these we can trigger the rate limit and adversely affect traffic

Options :

- Increase the rate limit and burst interval to take account of these packets ( if these packets are getting towards the level of 50pps then there may be other things going on in the network because they should not be that frequent). The downside to this is that you still get the syslogs reporting the violation so have to filter out those logs.

- disable duplicate address detection on the clients

- turn off the optional ip checking but retain the other arp inspection validate options and dhcp snooping ( this retains all other features and rate limiting with no entries in the logs )

- set arpinspection limit to none ( this means that we only report invalid packets in logs and don't action the rate limit - we lose the intended reactive benefit of DAI )

Please let me know if this helps. The only other thing i can suggest is that if you believe that these frames should be allowed we could present a feature request to see if that behaviour can be changed. In order to do that you would need to open a case with Extreme.

Thanks and Best Regards

If I turn off the IP validation the logs stop but I don't want to leave like this this setting permanently. I will test what if I turn off IP conflict detection in Windows clients but we use Windows 8.1 and I'm not sure the linked article below will help. I will write if the test be completed.

New Contributor III
Hi Glyn,

Yes this is what I did to workaround the problem. But without DAI shutting down ports, we can not pinpoint users who try to use programs like NetCut without reading logs.