Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

too many arp requests

Pete_202Pete_202 Newbie ✭
edited July 2021 in Entry Level Firewalls

Model: TZ400

Firmware Version: SonicOS Enhanced 6.5.4.7-83n

We're having an issue with ARP requests from Sonicwall, which causes our ISP to block us.

When there is a sudden peak of traffic, sonicwall sends out hundreds of ARP request to ISP gateway, which then blocks us for couple of minutes.

Is there a possibility to limit arp requests? The sonicwall behaviour seems not to be normal to me.

Category: Entry Level Firewalls
Reply

Answers

  • SaravananSaravanan Moderator
    Hi @Pete_202,

    Thank you for visiting SonicWall Community.

    Could you please check for NAT policy containing translated source or destination as whole subnet instead specific host/IP? Also, please check suspicious route policy? These two may cause issues with ARP shoot out by SonicWall.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Pete_202Pete_202 Newbie ✭

    Thanks for the reply.

    I have checked the NAT policy and they all look good (no translated source or destination as whole subnet).

    We have one route policy and that one looks also good.

  • SaravananSaravanan Moderator

    Hi @Pete_202,

    Thanks for checking on the configuration.

    Lets capture packets on the SonicWall for ARP and see if firewall generates too many packets.

    Please click on System | Packet Monitor | Configure,

    - Settings tab: Disable all check boxes

    - Monitor Filter tab:

    * Check “Enable Bidirectional address and port matching"

    *Interface Name: Specific the WAN interface

    * Ether type: ARP

    * Everything else clear

    - Display Filter Tab: Everything clear, all boxes check

    - Advance Monitor Filter: Everything check

    - Click OK, and Start Capture.

    - Please click on Refresh option in the packet monitor page to see the traffic.

    Let me know if you see too many ARP packets generated by the SonicWall.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Pete_202Pete_202 Newbie ✭

    I have already a log available, where I monitored this issue. That's why I opened this question.

  • SaravananSaravanan Moderator

    Alright @PETE_202. In this case, could you please check the source and destination IP addresses along with source and destination MAC addresses, try to figure out these in the ARP table of SonicWall and see if they belong to SonicWall's MAC address or any LAN or internal machines?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Pete_202Pete_202 Newbie ✭

    @Saravanan

    Yes, the source IP and MAC belongs to the Sonicwall. It's an HA cluster so MAC address is virtual.

    Destination IP is the ISP Gateway.

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    What is it ARPing for? The gateway's IP, or for random things on the internet?

  • Pete_202Pete_202 Newbie ✭

    Gateway's IP address .. more than 250 requests all at the same time.

  • SaravananSaravanan Moderator

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Pete_202Pete_202 Newbie ✭

    I've checked it already and it's not set:


  • SaravananSaravanan Moderator

    Hi @Pete_202,

    Possibly the issue needs assistance in real-time. Could you please approach our support team to verify the config on the SonicWall?


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Pete_202

    Most probably the issue due to your HA Virtual MAC. So create a STATIC ARP Entry for the HA virtual MAC.


  • Pete_202Pete_202 Newbie ✭

    Well, support suggested the same with static ARP entry, which is NOT a solution for the problem and more a temporary workaround.

Sign In or Register to comment.