Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Broadcast storm on ProCurve 4000M?

David McLean
Occasional Advisor

Broadcast storm on ProCurve 4000M?

Over the past week or so, out ProCurve 4000M switch has been acting weird. it looks like a broadcast storm, but it isn't.

We've disconnected the switch from the T1 line, shut off every computer attached to it, and disconnected it from the router and every other switch and it STILL shows tons of activity.

We did some packet sniffing and it said that these were ARP and Spanning Tree packets. Only one problem, we don't have Spanning Tree enabled on the switch.

I've tried updating the firmware to fix the problem, but I can't seem to fix this.

any suggestions?
14 REPLIES
The Real MD
Valued Contributor

Re: Broadcast storm on ProCurve 4000M?

1)is it possible there is a V-lan setup on the switch thats generating bogus traffic

2) is it possible to restore the factory settings, to see if you have the same issue.

3) check the firmware revision, it may well be worth upgrading.

Hope this helps

Martin.
David McLean
Occasional Advisor

Re: Broadcast storm on ProCurve 4000M?

Well, the Vlan setup is worth checking out, but I've alreayd updated the firmware on the 4000M switch that's causing the problem.

it's currently running 09_19, it used to be on 09_09.

I really don't want to try reseting it to factory settings just yet.

This switch provides access for a college computer lab. If the switch goes down, or gets the settings messed up, it may make us have to shut down the lab until we get everything operational again, would reseting it to factory specs be reversible? Could I bakc up the current configuration somehow?
Ralph Bean_2
Trusted Contributor

Re: Broadcast storm on ProCurve 4000M?

David -

What non-default features (IGMP, meshing, etc.) do you have turned on?

Regards,
Ralph
David McLean
Occasional Advisor

Re: Broadcast storm on ProCurve 4000M?

As far as I know, we aren't using any non-default setups, except for maybe the VLan.

I'd have to check to be sure, and I won't be able to do that until tomorrow.

I was looking around the forum, though, and noticed that Ethereal information seems to help. I downloaded it and captured some packets from my network to see what all the activity is.

about 55% of the activity on my netowrk seems to be ARP.

I've attached a screenshot, tell me what you think.
OLARU Dan
Trusted Contributor

Re: Broadcast storm on ProCurve 4000M?

1. Try to set MAC Age Interval to 30 minutes. You find this field in "Switch Configuration - System Information". Default value is 5 minutes, but it seems this is not enough. You might want to do this to all your switches.

2. What in your network changed in the "past week or so"? Added more clients; people moving around; all stations try to renew their DHCP leases?

3. You may have "the monday-morning syndrome". See http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=486528
David McLean
Occasional Advisor

Re: Broadcast storm on ProCurve 4000M?

it's not the DHCP server, or any of the servers.

Also, we haven't changed the network here in 2 years.

And this DEFINATLY isn't monday morning syndrome.

This has been going on for about 2 weeks. We almost never shut down our servers or switches here.

I might try changing the MAC age interval, but I don't know if that will even help, I might just have to end up calling in someone from HP.
OLARU Dan
Trusted Contributor

Re: Broadcast storm on ProCurve 4000M?

David,

before calling HP support, try changing the MAC Age Interval. Watch how your switch behaves next monday morning. There was some thread in this section, 8-9 months ago, in which somebody complained about similar problems in 4000M switches, and increasing this Interval from 5 to 30 minutes alleviated the problem.

I've set it to 30 minutes on my 4000Ms and 4108GLs, so my monday-morning syndrome seems to be due mainly to DHCP.
OLARU Dan
Trusted Contributor

Re: Broadcast storm on ProCurve 4000M?

It is not the DHCP server itself that is broken, but the fact that ~500 PCs try to lease another IP address using UDP broadcasts.

ARP broadcasts by clients to find the IPs of the DHCP server, the login server, the e-mail server (many users have put their Outlook client in Startup), file sharing server (our users map 3-4 drives from the file servers at each Windows startup).

Also switches flood frames until they build their forwarding tables.
David McLean
Occasional Advisor

Re: Broadcast storm on ProCurve 4000M?

did you guys even look at the screenshot I uploaded?

it seems to me that the majority isn't a bunch of different computers asking for a bunch of different IP to MAC resolution, it's 192.186.1.8 asking who has 192.168.1.2

and it's broadcasting this every .75 seconds, it seems.

I doubt that the MAC age interval has anything to do with that. Although I could be wrong.
cxtwo
Frequent Advisor

Re: Broadcast storm on ProCurve 4000M?

Just wondering.. is there any chance that the .8 machine is infected with a worm or virus? Does it or the .2 machine actually exist on your network?

chris
OLARU Dan
Trusted Contributor

Re: Broadcast storm on ProCurve 4000M?

Is there any ARP reply to .8 requests from .2? Is .2 alive, is .2 TCP/IP stack OK? If .8 gets the answer - why is it forgetting so fast? What about 211.67.1 - does it get some ARP replies?

Re: Broadcast storm on ProCurve 4000M?

Sorry I'm personally not familiar with the 4000M only the more recent HP switches.

An ARP request every second or so from a single device is normal. Especially is the .8 device has an application (or virus) that's constantly trying to connect to the .2 device.

If the 4000M is anything like the GL's & XL's I work with then you should be able to tftp off a copy of the current config then see if a factory reset clears the problem.

Also can the management on the switch point to a specific port that is causing the excess traffic? This may help a lot.
Stuart Teo
Trusted Contributor

Re: Broadcast storm on ProCurve 4000M?

The file name to tftp off newer Procurves is "running_config". The file name to tftp off newer the 4000m is "config"
If a problem can be fixed, there's nothing to worry. If a problem can't be fixed, worrying ain't gonna help. Bottom line: don't worry.
David McLean
Occasional Advisor

Re: Broadcast storm on ProCurve 4000M?

192.168.1.2 is the ProCurve 4000M switch itself.

192.168.1.8 is Earth, which I believe is our DHCP server, but I'm not going to be 100% on that until i can get to work and ask our server guy.