cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19838
Views
20
Helpful
10
Replies

Orphan Packet

David Santos
Level 1
Level 1

Can someone explain me the concept of an orphan packet?

and why i'm asking this? Because i´m seing in the syslog server the following msg:

*dtlArpTask: May 28 11:48:12.117: %DTL-4-ARP_ORPHANPKT_DETECTED: dtl_net.c:1425 STA(Target MAC Address) [,] ARP (op ARP REQUEST) received with invalid SPA(Source IP Address) 169.254.146.36/TPA(Destination IP Address) 169.254.146.36

Can anyone explain me this?

1 Accepted Solution

Accepted Solutions

Amjad Abdullah
VIP Alumni
VIP Alumni

David,

 

The message means that there is a packet that does not belong to any valid registered client on the AP/WLC.

This can happen if a client was able to pass authentication but not able to get an IP address.(which looks like your case above where you have 169.254.x.x IP address).

If a client could not get an IP address from DHCP, it will automatically fall back to use APIPA IP address (169.254..etc). Because this IP is not valid (Not configured on any VLAN on the WLC), the client traffic that is sent through the WLC with invalid source IP will be considered orphan traffic.

This very scenario also sometimes happens when a client is connecting to a web-auth WLAN and the session-timeout expires while the DHCP enabled. In this case the L2 may try to re-connect automatically but the client is not releasing its IP before connectivity so, the WLC considers the client having an IP address already and prevents it from connectivity. If session-timeout expires, the client traffic will be considered orphan until it reconnects at L2 back again. (This is actually a sbuset of what fbarboza expressed above).

 

In your case your clients have bad ip address. assign them a good ip address and all will be fine.

 

HTH

 

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

10 Replies 10

fbarboza
Level 4
Level 4
Hi , 

When a client associates with a WLAN, it can start trying to pass traffic without having passed authentication yet.  Windows devices/Apple devices are especially chatty.  If a client sends traffic before a controller is ready to allow it, i.e. they have not passed authentication, you see an Orphan Packet message. 
When you see an orphan packet message showing the IP address of the client changing,
that means that the controller was receiving Orphan Packets from that clients
mac address with the first IP address and then started receiving packets
from the same client with a different IP address. If a client changes SSIDs then it is a pretty common message since the client would have to pass authentication, get a new IP, etc.  You could enable Fast SSID Change under CONTROLLER>General for the WLC GUI.

Amjad Abdullah
VIP Alumni
VIP Alumni

David,

 

The message means that there is a packet that does not belong to any valid registered client on the AP/WLC.

This can happen if a client was able to pass authentication but not able to get an IP address.(which looks like your case above where you have 169.254.x.x IP address).

If a client could not get an IP address from DHCP, it will automatically fall back to use APIPA IP address (169.254..etc). Because this IP is not valid (Not configured on any VLAN on the WLC), the client traffic that is sent through the WLC with invalid source IP will be considered orphan traffic.

This very scenario also sometimes happens when a client is connecting to a web-auth WLAN and the session-timeout expires while the DHCP enabled. In this case the L2 may try to re-connect automatically but the client is not releasing its IP before connectivity so, the WLC considers the client having an IP address already and prevents it from connectivity. If session-timeout expires, the client traffic will be considered orphan until it reconnects at L2 back again. (This is actually a sbuset of what fbarboza expressed above).

 

In your case your clients have bad ip address. assign them a good ip address and all will be fine.

 

HTH

 

Amjad

Rating useful replies is more useful than saying "Thank you"

Amjad,

I must say that this is an issue only with ipads on my network. At this point i´ve changed the "Fast SSID change" to see if this problem would stop as suggested by fbarboza.

Just give me a couple of hours and i will have a report from users to see if this change has an impact.

Are you using web auth for the WLAN?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Guys,

fast ssid change has made a difference in the network and yes i´m using web auth for a guest wlan.

DS

Hi,

I just wanted to confirm if the fast ssid change help you and if the issues continues or not.

Also dont forget to rate if the answer worked.

Do you happen to know how long this supposed delay is, with fast ssid disabled?

Could there be any negative effect of enabling this?

I'm asking because we have more and more mobile phones/tablets.

No impact. Have it enabled across many customers for years ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

The delay is I think 30 seconds. If you have fast ssid change disabled. I too always have this enabled.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks for your replies. I've enabled it now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: