Incomplete ARP and Encapsulation Failed

Unanswered Question
Aug 26th, 2009

Having an interesting issue. I am getting an Incomplete ARP:

Internet 10.210.36.2 0 Incomplete ARPA

All the other IPs in the VLAN1000 are ARPing fine. The .2 is the physical address of an HSRP router. When I run a debug IP packets I can see that encapsulation fails going to .2. Here is that message:

Aug 26 15:17:18.779: IP: s=10.210.36.33 (Vlan20), d=10.210.36.2 (Vlan1000), g=10.210.36.2, len 60, forward

Aug 26 15:17:18.779: IP: s=10.210.36.33 (Vlan20), d=10.210.36.2 (Vlan1000), len 60, encapsulation failed

Anyone seen this before. I know about the cables and such but I guess one other question is, why are packets being sent to .2 instead of the HSRP address of .1.

Thanks.

James

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 08/26/2009 - 07:32

Hello James,

does a ping to 10.210.36.1 be successful from the same device complaining of ARP incomplete?

is the MAC address of the HSRP active router present in the Vlan1000 cam table?

sh mac-address-table vlan 1000

and is the local device speaking any form of routing protocol or it has a static route with next-hop 10.210.36.2?

Hope to help

Giuseppe

jfraasch Wed, 08/26/2009 - 07:43

To both replies,

Ping fails but only because the gateway is a VLAN on a 6500 with a fw module installed.

Show mac-address VLAN 1000 shows the ARP entry in port 17 of the HSRP address (a080 are the last four hex which I believe indicates the virtual mac).

I see other MAC addresses on the same port and they resolve fine. These would be MACs of a some servers and such that are on the same VLAN.

Ok, stupid question time. The access port on the uplink switch is VLAN 252. So basically my port 17 is plugged into a 3750 access vlan 252 port. MY VLAN on port 17 on my 3750 is set to VLAN 1000.

So I guess the question is whether changing my access port to VLAN 252 on this switch would make this go away. I dont want to have to do this as it creates a ton of work for me on the backend (this is a pilot project and I am just trying to connect to the corporate network- the VLAN 1000 contains all my VIPs for my ACE=4710 module which means I would have to reconfigure my switch and a bunch of my 4710 if the fix was to change to VLAN 252).

I am going to go cry now because I think I already know the answer! But please respond to make sure.

James

Giuseppe Larosa Thu, 08/27/2009 - 11:41

Hello James,

sorry for the late answer

you have joined two broadcast domains vlan 252 and vlan 1000.

But this shouldn't cause the issue you are seeing.

I guess ACE is inserted in bridged mode between real servers in vlan 252 and virtual servers in vlan 1000.

This is a typical setup also with CSM module

your scenario should look like

MSFC/supervisor --- FWSM -- ACE --- vlan real servers.

Hope to help

Giuseppe

Peter Paluch Wed, 08/26/2009 - 07:33

Hello James,

If a MAC address of the 10.210.36.2 is unknown then the message "encapsulation failed" is logical - you are not able to construct a frame that would encapsulate your packet and send it to that machine. I don't know this for sure but it is possible that if a router is the Active router in a standby group, it won't reply to ARP queries about its real IP address - that could explain why you cannot see the MAC address of the .2.

You are asking why your packets are sent to .2 instead of .1. The first place to look in is your routing table. I believe that it contains routes whose next hop is .2 and not .1. If the routing table is static then I just suggest correcting the static entries. However, if a dynamic protocol is used then it does not go well with the HSRP. Are there any end stations (PCs, workstations) on the VLAN1000 in your topology, or is it just a transit network?

Best regards,

Peter

Actions

This Discussion