ARP broadcasts sent but no responses

mputin · 02-12-2008, 03:36 AM

Hi

Im looking after a network of about 80 computers and have been having ARP issues on the net.

Network setup as follows:
Linux server operating as proxy (squid), DHCP and DNS server
Numerous client computers running various OS's including Vista, XP, MAC OS and linux
IP network is 192.168.1.0/24 although the DHCP service is set up to allocate in the range 192.168.1.100 - 192.168.1.254
The external interface is running fine and is not related to the issue at hand.
Various COTS switches and routers (working as switches hopefully)

Previously this network was working fine, however in the past few days we have been having issues that are progressively getting worse.

Basically what is happening is as a computer tries to communicate with a local computer that does not already have an entry in its ARP cache, it is unable to find that computer. Iv had a network sniffer out on the network and I can see the ARP request being broadcast, however it looks like no computer replies. I can statically enter the IP/MAC and it works fine but thats not really an option on this network for everyone. The other issue which I believe is feeding off this is if a new computer comes onto the network and asks for an IP address, the DHCP server does not respond, unless once again the DHCP server is statically put in.

The client PC's are controlled by the users (there is no SOE as it is very much adhoc in nature) and as you can tell are a variety of flavours which leads me to believe that it is not some bug with any particular OS. Iv reset network adapters, cleared ARP caches, reset the IP stack with the no difference (not that I would expect any of that to work as it is a network wide issue).

I have a couple of theories Id like to bounce around:
1) One of the routers that is meant to be operating as a switch may be misconfigured and is somehow poisoning all the ARP entries. The problem with this is they are generally vary basic in terms of configuration options and I cant really see any of them playing with the settings anyway.
2) Virus could be DoS'ing me using some sort ARP poisoning. If so, any ideas what sort traffic I should be looking for to try and track down the offending host
3) The Linux server is at the core and may be doing something funky... I dunno what though and it has been working fine for a very long time.

Any ideas would be greatly appreciated.......

bogdraggon · 02-24-2008, 08:21 AM

Sounds like your dhcp server is causing the problem have you checked your config?

You can configure DHCP only to give addresses to known machines. You need to give the MAC address to the DHCP server.

Also check your dns setup.

Also have you tried to turn the firewall off on the local network eth card to make sure that you are not blocking any traffic?

Let us know what Linux distro you are using and what packages you are using.

mputin · 03-01-2008, 04:57 PM

Thanks for the reply bogdraggon

The DHCP looks good to me. That said, I really wouldnt be surprised if there is a rogue DHCP server on the network somewhere. Unfortunately the network is just to big and to transient to only give addresses to known machines.

The DNS service is actually configured to send all DNS requests to the DNS servers provided by the ISP. Sorry, I should have made that clear.

I have turned off my firewall with no change and to be honest, most of the other users on the network probably dont even have firewalls. That said it works fine most of the time with the firewalls on.

Currently the network is running perfectly, however I have decided it is all to "loose", and as such I will be rolling back the cabling infrastructure and forcing them to use the switches I put in and hotspots I set up (probably how it should have been done in the first place).

For the record....
Its Fedora Core 4. ISC DHCP 3.0.2. Squid v2.5

02-12-2008, 03:36 AM	#1 (permalink)
mputin Registered User Join Date: Feb 2008 Posts: 3 OS: Vista	ARP broadcasts sent but no responses Hi Im looking after a network of about 80 computers and have been having ARP issues on the net. Network setup as follows: Linux server operating as proxy (squid), DHCP and DNS server Numerous client computers running various OS's including Vista, XP, MAC OS and linux IP network is 192.168.1.0/24 although the DHCP service is set up to allocate in the range 192.168.1.100 - 192.168.1.254 The external interface is running fine and is not related to the issue at hand. Various COTS switches and routers (working as switches hopefully) Previously this network was working fine, however in the past few days we have been having issues that are progressively getting worse. Basically what is happening is as a computer tries to communicate with a local computer that does not already have an entry in its ARP cache, it is unable to find that computer. Iv had a network sniffer out on the network and I can see the ARP request being broadcast, however it looks like no computer replies. I can statically enter the IP/MAC and it works fine but thats not really an option on this network for everyone. The other issue which I believe is feeding off this is if a new computer comes onto the network and asks for an IP address, the DHCP server does not respond, unless once again the DHCP server is statically put in. The client PC's are controlled by the users (there is no SOE as it is very much adhoc in nature) and as you can tell are a variety of flavours which leads me to believe that it is not some bug with any particular OS. Iv reset network adapters, cleared ARP caches, reset the IP stack with the no difference (not that I would expect any of that to work as it is a network wide issue). I have a couple of theories Id like to bounce around: 1) One of the routers that is meant to be operating as a switch may be misconfigured and is somehow poisoning all the ARP entries. The problem with this is they are generally vary basic in terms of configuration options and I cant really see any of them playing with the settings anyway. 2) Virus could be DoS'ing me using some sort ARP poisoning. If so, any ideas what sort traffic I should be looking for to try and track down the offending host 3) The Linux server is at the core and may be doing something funky... I dunno what though and it has been working fine for a very long time. Any ideas would be greatly appreciated.......

02-24-2008, 08:21 AM	#2 (permalink)
bogdraggon Registered User Join Date: Jul 2007 Posts: 43 OS: linux	Re: ARP broadcasts sent but no responses Sounds like your dhcp server is causing the problem have you checked your config? You can configure DHCP only to give addresses to known machines. You need to give the MAC address to the DHCP server. Also check your dns setup. Also have you tried to turn the firewall off on the local network eth card to make sure that you are not blocking any traffic? Let us know what Linux distro you are using and what packages you are using.

03-01-2008, 04:57 PM	#3 (permalink)
mputin Registered User Join Date: Feb 2008 Posts: 3 OS: Vista	Re: ARP broadcasts sent but no responses Thanks for the reply bogdraggon The DHCP looks good to me. That said, I really wouldnt be surprised if there is a rogue DHCP server on the network somewhere. Unfortunately the network is just to big and to transient to only give addresses to known machines. The DNS service is actually configured to send all DNS requests to the DNS servers provided by the ISP. Sorry, I should have made that clear. I have turned off my firewall with no change and to be honest, most of the other users on the network probably dont even have firewalls. That said it works fine most of the time with the firewalls on. Currently the network is running perfectly, however I have decided it is all to "loose", and as such I will be rolling back the cabling infrastructure and forcing them to use the switches I put in and hotspots I set up (probably how it should have been done in the first place). For the record.... Its Fedora Core 4. ISC DHCP 3.0.2. Squid v2.5