too many arp requests
Pete_202
Newbie ✭
Model: TZ400
Firmware Version: SonicOS Enhanced 6.5.4.7-83n
We're having an issue with ARP requests from Sonicwall, which causes our ISP to block us.
When there is a sudden peak of traffic, sonicwall sends out hundreds of ARP request to ISP gateway, which then blocks us for couple of minutes.
Is there a possibility to limit arp requests? The sonicwall behaviour seems not to be normal to me.
Category: Entry Level Firewalls
0
Answers
Thank you for visiting SonicWall Community.
Could you please check for NAT policy containing translated source or destination as whole subnet instead specific host/IP? Also, please check suspicious route policy? These two may cause issues with ARP shoot out by SonicWall.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thanks for the reply.
I have checked the NAT policy and they all look good (no translated source or destination as whole subnet).
We have one route policy and that one looks also good.
Hi @Pete_202,
Thanks for checking on the configuration.
Lets capture packets on the SonicWall for ARP and see if firewall generates too many packets.
Please click on System | Packet Monitor | Configure,
- Settings tab: Disable all check boxes
- Monitor Filter tab:
* Check “Enable Bidirectional address and port matching"
*Interface Name: Specific the WAN interface
* Ether type: ARP
* Everything else clear
- Display Filter Tab: Everything clear, all boxes check
- Advance Monitor Filter: Everything check
- Click OK, and Start Capture.
- Please click on Refresh option in the packet monitor page to see the traffic.
Let me know if you see too many ARP packets generated by the SonicWall.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
I have already a log available, where I monitored this issue. That's why I opened this question.
Alright @PETE_202. In this case, could you please check the source and destination IP addresses along with source and destination MAC addresses, try to figure out these in the ARP table of SonicWall and see if they belong to SonicWall's MAC address or any LAN or internal machines?
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@Saravanan
Yes, the source IP and MAC belongs to the Sonicwall. It's an HA cluster so MAC address is virtual.
Destination IP is the ISP Gateway.
What is it ARPing for? The gateway's IP, or for random things on the internet?
Gateway's IP address .. more than 250 requests all at the same time.
Hi @Pete_202,
Could you please try below KB article instructed steps?
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
I've checked it already and it's not set:
Hi @Pete_202,
Possibly the issue needs assistance in real-time. Could you please approach our support team to verify the config on the SonicWall?
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @Pete_202
Most probably the issue due to your HA Virtual MAC. So create a STATIC ARP Entry for the HA virtual MAC.
Well, support suggested the same with static ARP entry, which is NOT a solution for the problem and more a temporary workaround.