This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EOS)
- Dynamic ARP Inspection too many frame drops due IP...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Dynamic ARP Inspection too many frame drops due IP VALID FAILURE
Dynamic ARP Inspection too many frame drops due IP VALID FAILURE
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-26-2015 07:28 AM
Hello,
We have B5 series switches with enabled DAI and I am always getting these errors:
May 12 08:02:54 10.12.3.114
DAI[170022088]: dai_util.c(592) 289852 This is from manager 1 %% DAI dropped
ARP frame rcvd on i/f ge.1.38 in vlan 50, due to - IP VALID FAILUREMay 12 08:02:54 10.12.3.114 DAI[170022088]: dai_util.c(484) 289853 This is from manager 1 %% DAI: Ethernet header- dest FF:FF:FF:FF:FF:FF, src 00:23:24:7E:07:CD, type/len 0x8100. May 12 08:02:54 10.12.3.114 DAI[170022088]: dai_util.c(535) 289854 This is from manager 1 %% DAI: ARP PKT- op Request, sender mac 00:23:24:7E:07:CD, sender ip 0.0.0.0, target mac 00:00:00:00:00:00, target ip 10.10.1.94Sometimes some ports reach the limit then I get this:
May 12 15:50:44 10.12.3.114 DAI[170022088]: dai_main.c(624) 290697 This is from manager 1 %% DAI Interface ge.1.38 Error-Disabled!! Rate Limit 15 pps with burst interval 1 hit May 12 15:50:44 10.12.3.114 DAI[170022088]: dai_main.c(627) 290698 This is from manager 1 %% User has to bring the interface ge.1.38 up explicitly I changed the rate limit to 30 pps and with this setting the switch doesn't bring down the interface but the logs are keep coming.
I am looking to it what the logs mean and I find out these are DHCP ARP frames for check IP conflict. The question is why drop DAI these frames when they are useful? How can I set the switch to not drop these without turning off the IP validation?
Thanks in advance.
Regards,
Daniel Szigeti
We have B5 series switches with enabled DAI and I am always getting these errors:
May 12 08:02:54 10.12.3.114
DAI[170022088]: dai_util.c(592) 289852 This is from manager 1 %% DAI dropped
ARP frame rcvd on i/f ge.1.38 in vlan 50, due to - IP VALID FAILUREMay 12 08:02:54 10.12.3.114 DAI[170022088]: dai_util.c(484) 289853 This is from manager 1 %% DAI: Ethernet header- dest FF:FF:FF:FF:FF:FF, src 00:23:24:7E:07:CD, type/len 0x8100. May 12 08:02:54 10.12.3.114 DAI[170022088]: dai_util.c(535) 289854 This is from manager 1 %% DAI: ARP PKT- op Request, sender mac 00:23:24:7E:07:CD, sender ip 0.0.0.0, target mac 00:00:00:00:00:00, target ip 10.10.1.94Sometimes some ports reach the limit then I get this:
May 12 15:50:44 10.12.3.114 DAI[170022088]: dai_main.c(624) 290697 This is from manager 1 %% DAI Interface ge.1.38 Error-Disabled!! Rate Limit 15 pps with burst interval 1 hit May 12 15:50:44 10.12.3.114 DAI[170022088]: dai_main.c(627) 290698 This is from manager 1 %% User has to bring the interface ge.1.38 up explicitly I changed the rate limit to 30 pps and with this setting the switch doesn't bring down the interface but the logs are keep coming.
I am looking to it what the logs mean and I find out these are DHCP ARP frames for check IP conflict. The question is why drop DAI these frames when they are useful? How can I set the switch to not drop these without turning off the IP validation?
Thanks in advance.
Regards,
Daniel Szigeti
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-03-2015 01:20 PM
Hi Rahman,
Did you try using the command "set arpinspection limit" and set it to "none" ? I think this should achieve that ?
Best Regards
Glyn
Did you try using the command "set arpinspection limit" and set it to "none" ? I think this should achieve that ?
Best Regards
Glyn
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-03-2015 03:02 AM
Hi,
I my situation dhcp clients sends the arp packet not dhcp server. As I understand it is called https://wiki.wireshark.org/Gratuitous_ARP and it seems windows os uses it to detect ip conflicts and you can also disable it https://support.microsoft.com/en-us/kb/219374?wa=wsignin1.0.
I don't care if the packets dropped by DAI as dropping them has no negative effect. But the problem is I needed to disable DAI rate limiting completely. Because even the max limit on A4H 50 pps switch disabled some of client ports.
I my situation dhcp clients sends the arp packet not dhcp server. As I understand it is called https://wiki.wireshark.org/Gratuitous_ARP and it seems windows os uses it to detect ip conflicts and you can also disable it https://support.microsoft.com/en-us/kb/219374?wa=wsignin1.0.
I don't care if the packets dropped by DAI as dropping them has no negative effect. But the problem is I needed to disable DAI rate limiting completely. Because even the max limit on A4H 50 pps switch disabled some of client ports.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-02-2015 01:57 PM
Hi Daniel,
Without seeing your configs it seems that you have configured DAI with the optional ARP inspection validate command for ip address checking.
When this option is enabled, DAI drops ARP packets with an invalid IP address. The following IP addresses are considered invalid:
• 0.0.0.0
• 255.255.255.255
• All IP multicast addresses
• All class E addresses (240.0.0.0/4)
From the error shown it seems that the source ip address is 0.0.0.0 and hence is considered invalid and dropped as per the configuration. The feature seems to be doing what it is configured to do. If this were a standard dhcp discover packet i would not expect it to be dropped but i dont think that is the case here.
If you turn off the optional ip checking but retain the other arp inspection validate options this would stop it but the option is fixed about what it considers as an invalid ip address.
Did you say this is from the dhcp server can that be configured to send with a valid source ip address ?
Does my understanding of what you have sound correct to you? If not it may be a good idea to open a case with us so that we can review your configs and logs in more depth and assist you further
Best Regards
Glyn
Without seeing your configs it seems that you have configured DAI with the optional ARP inspection validate command for ip address checking.
When this option is enabled, DAI drops ARP packets with an invalid IP address. The following IP addresses are considered invalid:
• 0.0.0.0
• 255.255.255.255
• All IP multicast addresses
• All class E addresses (240.0.0.0/4)
From the error shown it seems that the source ip address is 0.0.0.0 and hence is considered invalid and dropped as per the configuration. The feature seems to be doing what it is configured to do. If this were a standard dhcp discover packet i would not expect it to be dropped but i dont think that is the case here.
If you turn off the optional ip checking but retain the other arp inspection validate options this would stop it but the option is fixed about what it considers as an invalid ip address.
Did you say this is from the dhcp server can that be configured to send with a valid source ip address ?
Does my understanding of what you have sound correct to you? If not it may be a good idea to open a case with us so that we can review your configs and logs in more depth and assist you further
Best Regards
Glyn
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-02-2015 01:57 PM
Thanks for your reply.
On the interface ge.1.38 we have a PC. The DHCP clients check for IP conflict in the network as Rahman said. The problem is, in these packets, the sender IP is 0.0.0.0 and the IP validation consider this invalid. We will consider to disable this feature in Windows clients if I don't get any other solution.
On the interface ge.1.38 we have a PC. The DHCP clients check for IP conflict in the network as Rahman said. The problem is, in these packets, the sender IP is 0.0.0.0 and the IP validation consider this invalid. We will consider to disable this feature in Windows clients if I don't get any other solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-31-2015 06:17 AM
I am also seeing this. Any idea how to solve it?
