Problems with ARP?

From: Pawel Osiczko (p.osiczko@tetrapyloctomy.org)
Date: Thu Aug 01 2002 - 11:31:33 EDT

• Next message: Paramasivam, Meenakshisundaram: "Thrid party multi-host RAID5 array"
• Previous message: Sridhar: "using rdist to clone system drive on a periodical basis"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey SunManagers!

I am experiencing an unusual problem which boils down to our switch
making more then reasonable amounts of ARP queries to a host. Host (Solaris 2.6
box) attempts to keep up with queries and answers them, but apparently too
quickly, because it complains to /dev/console and log that:

WARNING: IP: Hardware address '08:00:20:9a:c4:fb' trying to be our address 138.085.220.014!

Interesting part is that the MAC address 08:00:20:9a:c4:fb and IP address
_belong_ to the host being queried by the switch:

jigsaw:[/]# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
        inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        inet 138.85.220.14 netmask fffffe00 broadcast 138.85.221.255
        ether 8:0:20:9a:c4:fb

There are at times literally hundreds of the "WARNING: IP" messages.
They fill up our console (console being connected to a terminal server)
and basically hang the server. This event occurs randomly throughout the day.
Solaris 2.6 and 2.8 hosts are affected, though not all of them.
Host has only one network card.

The iparp timeout and fdb aging values on the switch are set to default values
on the switch.

Tcpdump shows the traffic during one of the incidents:

jigsaw:[/]# /pkg/tcpdump/sbin/tcpdump '(arp[7] & 0xff= 0x02 && arp[14:4] & 0xffffffff = 0x8A55DC0E) || (arp[7] & 0xff= 0x01 && arp[24:4] & 0xffffffff = 0x8A55DC0E)'
tcpdump: listening on hme0
11:59:37.739022 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:37.739101 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:37.739123 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:37.739145 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:37.739480 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:37.739521 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:38.739005 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:38.739058 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:38.739155 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:38.739187 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:38.739523 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:38.739556 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:39.739092 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:39.739123 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:39.739214 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:39.739237 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:39.739340 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:39.739394 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:40.739032 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:40.739095 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:40.739143 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:40.739174 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:40.739516 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:40.739549 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:41.739071 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:41.739122 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:41.739158 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se
11:59:41.739178 arp reply jigsaw.bo.us.am.ericsson.se is-at 8:0:20:9a:c4:fb
11:59:41.739536 arp who-has jigsaw.bo.us.am.ericsson.se tell g132sw1.bo.us.am.ericsson.se

Has anyone seen/fixed such a problem? It would be interesting to peek into Solaris
source code and see what kind of conditions must be met in order for kernel to print
out "WARNING: IP" message. Maybe there some sort of timeout since the last ARP reply
within which a host views ARP request as a spoof? Can anybody enlighten me?

Thanks!

--p
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Paramasivam, Meenakshisundaram: "Thrid party multi-host RAID5 array"
• Previous message: Sridhar: "using rdist to clone system drive on a periodical basis"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:41 EDT