Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
0
Helpful
7
Replies

a question about arp tables...

Go to solution
linnea.wren
Level 1
Level 1

‎04-03-2007 03:46 PM - edited ‎03-05-2019 03:17 PM

Hey...

A Windows server has 10 IP addresses.

Intermittently, all IP addresses except for the primary address become inaccessible.

This may well be a problem on the server itself, but in the course of looking everywhere, I noticed something on a core switch that I don't understand.

The switch is a 6509, sup720/msfc3, IOS Enterprise Services, v12.2(18)SXE5.

When all is working as it should, "sh arp" on the switch has entries for all 10 of the server's IP addresses.

However, as time passes, the Age in Minutes value for the server's primary IP address restarts, like this:

sh arp 1: Age = 5

sh arp 2: Age = 0

sh arp 3: Age = 3

sh arp 4: Age = 2

(Sh arp commands having been done at irregular intervals.)

For the other 9 IP addresses on the box, the Age value continues to increment until we have a crisis.

From this it would seem that the switch re-arps for the primary address, even though it has an entry for that IP in its table.

Why would it re-arp for an IP that it has in its table?

And, why re-arp for some addresses, but not for others?

(The age values for IP addresses on all our vlans are all over the map, anything from 0 up in to the 200s, so the phenomenon doesn't seem to be confined to this one device.)

Any thoughts/knowledge much appreciated...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to linnea.wren

‎04-04-2007 06:33 AM

Linnea

That is an interesting behavior and there may be several things that could explain it. I think perhaps most likely is that the server periodically might be sending a gratuitous ARP (announcing itself). If the switch receives an ARP response from the switch (perhaps responding to some other device) it would refresh the entry in the ARP table.

I agree that the problem about the other addresses would seem to be a problem at the server. If you want to investigate either of these things further I would suggest that debug arp on the sup might be helpful.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎04-03-2007 06:49 PM

Linnea

At least part of what you describe sounds like normal behavior. Especially the description of the Age value incrementing and then starting over - and covering a wide range of values. In IOS the default aging time for the ARP cache is 4 hours (240 minutes or 14400 seconds). And when IOS ages out an entry in the ARP table it sends an ARP request for the address and if it gets a response it inserts the address with time value of 0 and starts over again.

In your description of the issue I am not clear whether the switch is not sending a request for the addresses or whether the switch is requesting and the server is only answering for the first address. To investigate this further I would suggest running debug arp on the switch. This will show ARP activity including what the switch sends out and whether it receives responses to its requests.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
IVAN PEPELNJAK
Level 1
Level 1
In response to Richard Burts

‎04-04-2007 01:16 AM

The ARP table is aged out (as pointed out by Rick) but is not repopulated unless you run CEF on the box (in which case the router re-issues an ARP request to maintain its CEF adjacency table).

0 Helpful

Go to solution
linnea.wren
Level 1
Level 1
In response to IVAN PEPELNJAK

‎04-04-2007 06:20 AM

Thank you both.

I don't think I made the question sufficiently clear, though...

The entry for the 1st IP address of the server never ages beyond 5 or 6 minutes. We do have the aging timer set at the default of 4 hours, and the other entries reach that value. But the entry for the first IP address does not.

Therefore, it seems the entry for that IP address gets refreshed long before it has been the in the table long enough to time out. I was wondering what would cause that...

In the problem of losing access to the other IP addresses, what I see on the switch while the problem is occurring is entries for those IP addresses listed as "incomplete". And, on the server itself, when I do a packet capture, I see ARP requests coming in but no responses going out. That's why I'm thinking the problem is actually at the server level.

So, the question about the seemingly premature aging of that one address is more trying to fill in of a knowledge gap...

Thanks again...

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to linnea.wren

‎04-04-2007 06:33 AM

Linnea

That is an interesting behavior and there may be several things that could explain it. I think perhaps most likely is that the server periodically might be sending a gratuitous ARP (announcing itself). If the switch receives an ARP response from the switch (perhaps responding to some other device) it would refresh the entry in the ARP table.

I agree that the problem about the other addresses would seem to be a problem at the server. If you want to investigate either of these things further I would suggest that debug arp on the sup might be helpful.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
nickjacobs
Level 1
Level 1
In response to Richard Burts

‎04-04-2007 05:48 PM

Most likely the server is using some kind of NIC or MS load balancing, and as mentioned above is using either gratuitous ARp , or the router is seeing different ARP response according to the NIC it wants a device to respond to at the time.

0 Helpful

Go to solution
linnea.wren
Level 1
Level 1
In response to Richard Burts

‎04-05-2007 03:39 PM

Thanks Rick. Discovered there is Windowsy traffic from another machine on that subnet that accounts for the arp table refreshes on the switch...

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to linnea.wren

‎04-05-2007 07:17 PM

Linnea

I am glad that our comments were helpful for you to find the solution.

Thanks for using the rating system to indicate that your issue was resolved. (and thanks for the rating) It makes the forum more useful when people can read about an issue and can know that they will read a solution to the issue. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card