Re: problem with ARP cache?

Sean OB_1 · ‎09-10-2003

Hello.
I'm seeing the following messages created in OVO. From what I understand this trap can result from either a duplicate IP, or a stale ARP cache for a machine that received a new NIC.

I'm concerned that the same MAC address is being reported for many different IP addresses, and the traps are coming from a few different machines.

Any thoughts on what is going on here?

Major --X---- 19:13:58 09/09/03 webcalendar.matc.edu SNMPTraps SNMP webcalendar.matc.edu mail.milwaukee.tec.wi.us reports address 0x00000C07AC80 for 148.8.32.103, webcalendar.matc.edu reported 0x0002A5EF221B via SNMP
Major 7 --X--X- 16:46:26 09/09/03 dataware.matc.edu SNMPTraps SNMP dataware.matc.edu mail.milwaukee.tec.wi.us reports address 0x00000C07AC80 for 148.8.32.77, dataware.matc.edu reported 0x080020CFC12B via SNMP
Major 14 --X--X- 16:46:26 09/09/03 cricket.matc.edu SNMPTraps SNMP cricket.matc.edu mail.milwaukee.tec.wi.us reports address 0x00000C07AC80 for 148.8.32.78, cricket.matc.edu reported 0x080020B085B0 via SNMP
Major 11 --X--X- 17:01:26 09/09/03 gwise5.matc.edu SNMPTraps SNMP gwise5.matc.edu mail.milwaukee.tec.wi.us reports address 0x00000C07AC80 for 148.8.60.15, gwise5.matc.edu reported 0x000BCD9C61AB via SNMP
Major 7 --X--X- 19:43:58 09/09/03 mms2.matc.edu SNMPTraps SNMP mms2.matc.edu mail.milwaukee.tec.wi.us reports address 0x00000C07AC80 for 148.8.60.25, mms2.matc.edu reported 0x0002A56B97DA via SNMP
Major 1 --X--X- 21:13:58 09/09/03 cw2000.matc.edu SNMPTraps SNMP cw2000.matc.edu mail.milwaukee.tec.wi.us reports address 0x00000C07AC80 for 148.8.60.34, cw2000.matc.edu reported 0x0002A5AD47F1 via SNMP
Major 8 --X--X- 16:16:25 09/09/03 mms1.matc.edu SNMPTraps SNMP mms1.matc.edu mail.milwaukee.tec.wi.us reports address 0x00000C07AC80 for 148.8.60.35, mms1.matc.edu reported 0x0002A56B9CC0 via SNMP
Major 12 --X--X- 17:01:13 09/09/03 is1.matc.edu SNMPTraps SNMP is1.matc.edu blackboard.matc.edu reports address 0x00000C07AC80 for 148.8.60.122, is1.matc.edu reported 0x0002A55C5DA6 via SNMP
Major 8 --X--X- 17:16:13 09/09/03 ovis.matc.edu SNMPTraps SNMP ovis.matc.edu blackboard.matc.edu reports address 0x00000C07AC80 for 148.8.60.7, ovis.matc.edu reported 0x000BCD9C3A73 via SNMP
Major 2 --X--X- 20:47:17 09/09/03 dataware.matc.edu SNMPTraps SNMP dataware.matc.edu blackboard1.matc.edu reports address 0x00000C07AC80 for 148.8.32.77, dataware.matc.edu reported 0x080020CFC12B via SNMP

Steven Gillard_2 · ‎09-10-2003

I think its most likely that you have proxy-ARP enabled on a device close to the mail.milwaukee.tec.wi.us system, mainly because of the number of events you're getting and because the mismatch is always with the same layer 2 address (0x00000C07AC80).

Incorrectly configured Cisco PIX firewalls are notorious for responding to ARP request by proxy, so if you have one of these in your network I would start there. Otherwise you need to locate the device that owns the address 0x00000C07AC80.

I've attached the description text from my trapd.conf file describing some troubleshooting steps that you may or may not have seen.

Regards,
Steve

Sean OB_1 · ‎09-10-2003

When I snmpwalk mail.milwaukee.tec.wi.us for the arp cache all entries in the cache have the same physical address.

We do have a PIX firewall here, so I'll get with the network team and see what they can find out.

Ron Kinner · ‎09-11-2003

The 00000C in the vendor portion of the address indicates that the culprit is a Cisco device so it is probably the Pix or a router which is answering the phone.

http://www.iana.org/assignments/ethernet-numbers

I suspect it's the Pix and that this is the way the Pix works so you may just have to tell OV to ignore this sort of thing.

Ron

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: problem with ARP cache?

problem with ARP cache?