Router ARP Requests to an offline host...

Unanswered Question
Nov 20th, 2009
User Badges:

How can I find out why my default gateway router (Cisco 857) keeps sending out ARP requests for the MAC address of a host that is offline?


When I sniff packets on the internal LAN, I continue to see these broadcast ARP requests coming from this router, asking for the MAC address of whoever it is that has this particular IP address. It never gets a response back, because there is no such host that is active on our LAN. Yet the ARP requests continue...


Any guideance would be greatly appreciated. Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 11/20/2009 - 11:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Peter


Check the config to see if there are references to the IP address that the router is arping out for


Jon

p3t3rt0sh Fri, 11/20/2009 - 11:07
User Badges:

There is nothing in the running-config that is referencing the particular IP address...

Jon Marshall Fri, 11/20/2009 - 11:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Do you know what this host is and what it's purpose was ?

p3t3rt0sh Fri, 11/20/2009 - 13:08
User Badges:

I have no recollection of what this host was. It's IP address does not fall under our DHCP scope, so it was staticlly configured, whatever it was.


I'm thinking of configuring a client with this IP address and sniffing the packets to see if I can figure out what kind of traffic the router wants to pass to it.

Richard Burts Sat, 11/21/2009 - 03:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The symptoms that you describe of the router ARPing for this address repeatedly suggest that something is sending packets to this router for that destination address. There are a couple of ways that you could investigate what this is:

- your suggestion of putting that address on a client and sniffing would work.

- if you have netflow configured on the router you might find the source address and protocol ports in the netflow data.

- you could configure an access list on the router interface with a permit statement for that destination address and the log parameter so that the router will create log messages for the packets which would have identifying information.


HTH


Rick

Actions

This Discussion