×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Orphan Packet

Endorsed Question
May 29th, 2012
User Badges:

Can someone explain me the concept of an orphan packet?


and why i'm asking this? Because i´m seing in the syslog server the following msg:



*dtlArpTask: May 28 11:48:12.117: %DTL-4-ARP_ORPHANPKT_DETECTED: dtl_net.c:1425 STA(Target MAC Address) [,] ARP (op ARP REQUEST) received with invalid SPA(Source IP Address) 169.254.146.36/TPA(Destination IP Address) 169.254.146.36


Can anyone explain me this?

Cisco Endorsed by pardeepk
Amjad Abdullah about 5 years 2 months ago

David,


The message mean that there is a packet that does not belong to any valid registered client on the AP/WLC.

This can happen if a client was able to pass authentication but not able to get an IP address.(which looks like your case above where you have 169.254.x.x IP address).

If client could not get an IP address from DHCP it will automatically fall back to use APIPA Ip address (169.254..etc). Because this IP is not valid on the subnet the client is connected to the traffic will be consindered orphan traffic.

It also sometimes happens when some is connecting to web-auth WLAN and the session timeout expires while the DHCP enabled. in this case the L2 may try to re-connect automatically but the client is not releasing its IP before connectivity so it considered it having an IP address already and prevents him from connectivity. If session-timeout expires the client traffic will be considered orphan until it reconnect at L2 back again. (This is actually a sbuset of what fbarboza expressed above).


In your case your clients have bad ip address. assign them a good ip address and all will be fine.


HTH


Amjad

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
fbarboza Tue, 05/29/2012 - 11:42
User Badges:
  • Bronze, 100 points or more
Hi , 

When a client associates with a WLAN, it can start trying to pass traffic without having passed authentication yet.  Windows devices/Apple devices are especially chatty.  If a client sends traffic before a controller is ready to allow it, i.e. they have not passed authentication, you see an Orphan Packet message. 
When you see an orphan packet message showing the IP address of the client changing,
that means that the controller was receiving Orphan Packets from that clients
mac address with the first IP address and then started receiving packets
from the same client with a different IP address. If a client changes SSIDs then it is a pretty common message since the client would have to pass authentication, get a new IP, etc.  You could enable Fast SSID Change under CONTROLLER>General for the WLC GUI.
Amjad Abdullah Wed, 05/30/2012 - 05:11
User Badges:
  • Red, 2250 points or more

David,


The message mean that there is a packet that does not belong to any valid registered client on the AP/WLC.

This can happen if a client was able to pass authentication but not able to get an IP address.(which looks like your case above where you have 169.254.x.x IP address).

If client could not get an IP address from DHCP it will automatically fall back to use APIPA Ip address (169.254..etc). Because this IP is not valid on the subnet the client is connected to the traffic will be consindered orphan traffic.

It also sometimes happens when some is connecting to web-auth WLAN and the session timeout expires while the DHCP enabled. in this case the L2 may try to re-connect automatically but the client is not releasing its IP before connectivity so it considered it having an IP address already and prevents him from connectivity. If session-timeout expires the client traffic will be considered orphan until it reconnect at L2 back again. (This is actually a sbuset of what fbarboza expressed above).


In your case your clients have bad ip address. assign them a good ip address and all will be fine.


HTH


Amjad

David Santos Wed, 05/30/2012 - 05:30
User Badges:

Amjad,


I must say that this is an issue only with ipads on my network. At this point i´ve changed the "Fast SSID change" to see if this problem would stop as suggested by fbarboza.


Just give me a couple of hours and i will have a report from users to see if this change has an impact.

Amjad Abdullah Wed, 05/30/2012 - 09:09
User Badges:
  • Red, 2250 points or more

Are you using web auth for the WLAN?


Sent from Cisco Technical Support iPad App

David Santos Thu, 05/31/2012 - 14:16
User Badges:

Guys,


fast ssid change has made a difference in the network and yes i´m using web auth for a guest wlan.



DS

fbarboza Sat, 06/02/2012 - 10:34
User Badges:
  • Bronze, 100 points or more

Hi,


I just wanted to confirm if the fast ssid change help you and if the issues continues or not.

Also dont forget to rate if the answer worked.


patoberli Fri, 11/22/2013 - 01:43
User Badges:
  • Silver, 250 points or more

Do you happen to know how long this supposed delay is, with fast ssid disabled?

Could there be any negative effect of enabling this?


I'm asking because we have more and more mobile phones/tablets.

George Stefanick Fri, 11/22/2013 - 04:09
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

No impact. Have it enabled across many customers for years ..

Sent from Cisco Technical Support iPad App

Scott Fella Fri, 11/22/2013 - 06:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

The delay is I think 30 seconds. If you have fast ssid change disabled. I too always have this enabled.

Sent from Cisco Technical Support iPhone App

patoberli Fri, 11/22/2013 - 06:23
User Badges:
  • Silver, 250 points or more

Thanks for your replies. I've enabled it now.

Actions

This Discussion

Related Content