Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
6
Replies

ARP Incomplete Entries.

losdelrock
Level 1
Level 1

‎10-07-2005 12:07 AM - edited ‎03-03-2019 10:40 AM

Hello, we are seeing continuous ARP Incomplete entries (using debug ARP) which are not getting deleted on our Cisco 3640 internal interface, they are never deleted. I would appreciate any help on understanding why these requests are being made and how to stop them.

Thanks!

Labels:
0 Helpful
6 Replies 6

spremkumar
Level 9
Level 9

‎10-07-2005 03:21 AM

hi

did u try clearing arp ? whts the ios code you are running in your box at present ?

usually incomplete entries points the unreachability to that particular ip which is displayed out there.

try to find out whether those incomplete entries belongs to your local subnet or different subnet altogether also if they belongs to the same local subnet then try to find out whether they are powered on.

Also would suggest to check out for any known worms or virus variants in your network which may also be a possible reason for this ..

you can do this using ip route-cache flow under the lan interface and use show ip cache flow to find out the traffic patterns getting traversed which can clear up most of the things.

regds

0 Helpful

dbellaze
Level 4
Level 4

‎10-07-2005 07:08 AM

If the router is attempting to route a packet to a desitionation it doesn't have an ARP entry for it will ARP for it. If the host doesn't exist it will just create an incomplete entry. Depending on how often it does this it might look like its never timing them out.

If your wide open to the internet using public IP's on your LAN port scanners could cause this type of thing.

Daniel

0 Helpful

losdelrock
Level 1
Level 1
In response to dbellaze

‎10-07-2005 09:51 AM

Thanks to both of you - I will get on it on Monday. How do I make sense of the route-cache flow to see if it is a worm or port scan? The offending ARPs are coming from our internal interface, and you are right, our router is open to the world.

Adrian

0 Helpful

losdelrock
Level 1
Level 1
In response to losdelrock

‎10-10-2005 01:49 AM

Hello - further to the above topic, is it possible to gather stats over time for the ip cache flow command using SNMP or other method? Thanks!

0 Helpful

spremkumar
Level 9
Level 9
In response to losdelrock

‎10-10-2005 01:55 AM

hi

The ip cache flow commands displays you the o/p which will have both input and output port numbers of the active traffic transactions being carried out by the routers.

Those values will be in hexa values which u can convert to normal decimal , you match out the same with the port numbers being used by the usual worms,virus or their variants.

regds

0 Helpful

losdelrock
Level 1
Level 1
In response to spremkumar

‎10-11-2005 01:36 PM

Thanks - is there any way I can gather stats over time for this - e.g. SNMP? Sitting at a console pressing "ip cache flow" all the time does not appeal to me. We use a brilliant SNMP/RMON package called OpManager which can pull stats off almost anything, just wondering if Cisco's MIB has the ip cache flow in it somewhere...

Adrian.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card