Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Incomplete ARP entries

Hi All

I have got this weird problem on our core router. Whenever I do a "show arp", I get the following entries in the resulting ARP table output:

Internet 10.6.192.204 0 Incomplete ARPA

Internet 10.6.191.179 0 Incomplete ARPA

Internet 10.6.190.178 0 Incomplete ARPA

Internet 10.6.189.177 0 Incomplete ARPA

Internet 10.6.188.176 0 Incomplete ARPA

Internet 10.6.187.183 0 Incomplete ARPA

Internet 10.6.186.182 0 Incomplete ARPA

Internet 10.6.185.181 0 Incomplete ARPA

Internet 10.6.184.180 0 Incomplete ARPA

Internet 10.6.183.187 0 Incomplete ARPA

Internet 10.6.181.185 0 Incomplete ARPA

Internet 10.6.180.184 0 Incomplete ARPA

Of about 5700 entries in the ARP table, 4000 are incomplete like above. It is as if something is scanning the 10.6 range, because it is definitely going through the whole class B range.

We are running Appletalk on this VLAN as well.

Any ideas what could be causing this, and how to trace it?

5 REPLIES

Re: Incomplete ARP entries

Looks like the Welcha virus is running on a machine - potentially infecting more machines......

Get a sniffer on the segment and see what the source IP addresses are (you may need to configure SPAN on a port). Once you have the sources 'attack' the PC owner(s).....

I would ensure you have virus scanners running on your PCs and that the virus definitions are up to date.

Andy

Silver

Re: Incomplete ARP entries

One way to check for Welchia virus is to set and ACL to monitor traffic on port TCP135, e.g:

access-list 133 permit tcp any any eq 135 log

access-list 133 permit ip any any

and apply it in both directions (in/out) to an interface.

You should check the router log to see if indeed there is a system scanning on that port. An example from a router log:

%SEC-6-IPACCESSLOGP: list 133 permit tcp 10.10.11.26(53340) -> 10.65.71.51 (135)

%SEC-6-IPACCESSLOGP: list 133 permit tcp 10.10.11.26(53340) -> 10.65.71.52 (135)

where you can see that host 10.10.11.26 is scanning subnet 10.65.71.0, a typical virus symptom

Regards,

Mustafa

New Member

Re: Incomplete ARP entries

Are there ACL configured filtring imcp messages? Remove it for test and change it as needed.

New Member

Re: Incomplete ARP entries

Clear the ARP entries and check if the same entries occur again. If yes, you need to check for virus as said above

New Member

Re: Incomplete ARP entries

Hi

I have seen it in my customer place when they hit by the codered virus. These fault arp entrie in your router can cause those hosts unreachable by other network. Scan your network for viruses is the first task you need to do.

343
Views
0
Helpful
5
Replies
CreatePlease to create content