Invalid ARP

Let's say there is a client router connected on switch port G1/0/6. But command on switch "show mac address table int G1/0/6" shows nothing. Also command "sh ip dhcp snooping binding int G1/0/6" also shows nothing. So i do not see routers mac or ip adress on that port. Then i run the command "no ip verify source port-security" and i see routers mac with "sh mac address table" command but do not see routers ip with "dhcp snooping".
Then in the loggs appears folowing lines:
Aug 1 07:08:18.434 EEST: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi1/0/6
, vlan 376.([0024.a534.55f3/192.168.0.100/001b.0dff.5e00/192.168.0.1/07:08:18
It seems like router got private ip address from rogue dhcp which is on the same vlan.
The question then is why "ip dhcp snooping binding" doesn't show this private ip address 192.168.0.100.
Because it is not in the dhcp snooping database switch doesn't accept packets from this router (because of ip verify source port-security command) and that's why routers mac address isn't also in mac adddress table before i used command "no ip verify source port-security". Am i right?

Hey,
DHCP Snooping binding table is created by actively monitoring server packets namely OFFER and ACK packets of DORA (Discover, Offer, Request, Ack) process. So switch running snooping never saw the OFFER and ACK packets never traversed through this switch for router IP address, hence no entry in the binding table.
For DHCP/DORA process , check the follwoing link:
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/27470-100.html#dhcpmessage
HTH.
Regards,
RS.

Similar Messages

Why all packets dropped with %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs error msg for arp inspected vlans for DMZ and Backup

Hi,
We have got cisco 3759 switch where the followign line was configrued only
ip arp inspection vlan 6,100
And on those vlans no arp inspection trust was configrued. DMZ and backup servers were connected on that switch. Switch got restarted wihtin 5 minutes for the power outage and when the swithc came online it was denying all the packets coming through the vlan 100 adn 6 althought it was allowing packets before the power outage.
It took me 30 minutes to find out that arp inspection was enables which might cause the issue, but I am still unsue why it would block all packets for vlan 100 & 6.After taking out the command ' ip arp inspection vlan 6,100' all started working fine.
What is the reason the switch had this issue? Is there any resolution for this? thanks
FYI: The error messages-
0:48:32: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.182/14:48:32 AEST Sun Feb 28 1993])
00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/3, vlan 6.([000c.2915.1abe/220.233.31.184/0000.0000.0000/220.233.31.177/14:48:32 AEST Sun Feb 28 1993])
00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.178/14:48:33 AEST Sun Feb 28 1993])
00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.184/14:48:33 AEST Sun Feb 28 1993])
Regards,
Arman

Code version:
System image file is "flash:c3750-ipservicesk9-mz.122-50.SE3/c3750-ipservicesk9-mz.122-50.SE3.bin"
I don’t have any etherchannel running from the switch. It is connected to vmware machines which are on DMZ.
rgds,
arman

SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs

Hi,
after upgrading switch 2960 with latest ios release (c2960-lanbasek9-mz.150-2.SE5.bin) i have problem with DHCP snooping. These massage pop out:
04264: Mar 25 21:53:09: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/17, vlan 8.([30f7.0dad.a5d9/10.11.8.29/0026.cb33.10ff/10.11.8.1/21:53:09 CET Tue Mar 25 2014])
004265: Mar 25 21:53:11: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/20, vlan 8.([d48c.b527.f1ec/10.11.8.47/0026.cb33.10ff/10.11.8.1/21:53:10 CET Tue Mar 25 2014])
004266: Mar 25 21:53:14: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/24, vlan 3.([c84c.75a9.8bee/10.11.3.6/0000.0000.0000/10.11.3.1/21:53:13 CET Tue Mar 25 2014])
2960 switch is connected to distribution switch 4509, and i clear all mac address-table, arp table, clear ip dhcp binding, snooping everything (on boat access and distribution).... shutdown the port, reset switch but i am still receiving those messages.
vlan 8 is voice vlan - cisco phones...
Dhcp server is 4509 distribution switch...
example - port config:
interface FastEthernet0/20
switchport access vlan 31
switchport mode access
switchport nonegotiate
switchport voice vlan 8
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 10
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 50
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
Now port is running in "ip arp inspection trust" so user can access network (but that is no solution)....
So what else can I do, how to clear those DHCP_SNOOPING_DENY message?
Regards,
Ivan

Just update with other IOS c2960-lanbasek9-mz.150-2.SE4.bin and everything work ok.
Again upgrade to newest one c2960-lanbasek9-mz.150-2.SE5.bin gain same message appears.
4264: Mar 25 21:53:09: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/17, vlan 8.([30f7.0dad.a5d9/10.11.8.29/0026.cb33.10ff/10.11.8.1/21:53:09 CET Tue Mar 25 2014])
004265: Mar 25 21:53:11: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/20, vlan 8.([d48c.b527.f1ec/10.11.8.47/0026.cb33.10ff/10.11.8.1/21:53:10 CET Tue Mar 25 2014
Upgrade to 150-2.SE4.bin and everything work ok...
Strange :-)

DHCP/ARP issue in WLC

We have an issue where the client PCs are not receiving IP address from DHCP though they get authenticated. Clients with static IP address don't have any issue. I get the below DHCP error message from the logs,
%DHCP-4-INVALID_VLANID_ARP: dhcp_proxy.c:1035 ARP table stores invalid vlan id 0, for the IP Addr 0x85. Expected vlan id for this ip address is 174616833
And in the ARP table, I see an invalid arp entry for the gateway IP address for a particular VLAN.
00:0D:BC:2B:76:BF   10.104.113.1     2      0      Host
While this MAC address should be learned from port 1 and in VLAN 133, it shows as port 2 and VLAN 0. The ARP entry gets corrected itself when I flush the ARP cache or if I do a ping to the IP from WLC.
Interface Name                   Port Vlan Id IP Address      Type    Ap Mgr Guest
kwe-wireless                     1    133      10.104.113.2    Dynamic No     No
WLC Model - 4402
OS Version - 5.1.151.0

Well just for information purpose, the v5.x is the worst code version out there. Since you have 4400's, I would upgrade to v7.0.x. Makes ire your AP's are compatible by looking at this list.
http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
Sent from Cisco Technical Support iPhone App

ARP Inspection Question

All,
I don't have a way of labbing this up at the moment, so I have a question to see what everyone else has seen in the past. Consider the following topology (attached).
DHCP Snooping and DAI are enabled across all switches. The dhcp snooping binding table has host A listed on the switch that host A connects to, and there is a dhcp snooping database on the dhcp server. Host A is in an office, but this person needs to go to a conference room that connects to switch C. Switch C doesn't know anything about the dhcp snooping entry from switch B. Will host A be able to pass traffic, or will DAI stop the traffic from being passed until an arp acl is configured on switch c or the port is trusted that host A connects to? If it's able to pass traffic, how is switch C learning it? Does it request the mac address/ip pair from the dhcp server and then enter it into it's own binding table? This is what I'm thinking because otherwise dai is going to be hard for me to manage.
Also, I couldn't find a way of doing this, but is there a way of sharing a database across switches? It seemed like it was creating a new file even though the same name was given, so I ended up naming them by switch - switcha.dhcpBinding, etc.
Thanks!
John

Hi Rolf,
I have some concerns regarding DAI in our organization. i have applied DAI on all our access switches(Cisco), our DHCP server is Cisco 6509 core switch. All teh trunk ports connecting to core switch are "Trusted Interfaces with rate limit unlimited".
all the client systems are getting proper IPs from DHCP. But there is something missing behind the scene.
Please see the below DHCP DAI inspection logs taken from one of access switch.
PDOWN: Interface GigabitEthernet0/30, changed state to down
250566: Mar 9 11:30:56: %LINK-3-UPDOWN: Interface GigabitEthernet0/30, changed state to up
250567: Mar 9 11:30:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/30, changed state to up
250568: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/30 for pak. Was not set
250569: 2w2d: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Gi0/30
250570: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/30 for pak. Was not set
250571: 2w2d: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/30)
250572: 2w2d: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/30, MAC da: ffff.ffff.ffff, MAC sa: 18a9.05ed.8b87, IP da: 255.255.255.255, IP sa: 0.0.0.0,
DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 18a9.05ed.8b87
250573: 2w2d: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (120)
250574: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/50 for pak. Was not set
250575: 2w2d: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Gi0/50
250576: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/50 for pak. Was not set
250577: 2w2d: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/50)
250578: 2w2d: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/50, MAC da: 18a9.05ed.8b87, MAC sa: 0015.2c31.4800, IP da: 192.168.120.104, IP sa: 192.168.120.1,
DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.120.104, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 18a9.05ed.8b87
250579: 2w2d: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 18a9.05ed.8b87
250580: 2w2d: DHCP_SNOOPING: can't find client's destination port, packet is assumed to be not from local switch, no binding update is needed.
250581: 2w2d: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 18a9.05ed.8b87
250582: 2w2d: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 18a9.05ed.8b87
250583: 2w2d: DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.
250584: Mar 9 11:31:05: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi0/30, vlan 120.([18a9.05ed.8b87/169.254.93.237/0000.0000.0000/169.254.93.237/14:31:04 Sun Mar 9 2014])
250585: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/30 for pak. Was not set
250586: 2w2d: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Gi0/30
250587: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/30 for pak. Was not set
250588: 2w2d: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/30)
250589: 2w2d: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/30, MAC da: ffff.ffff.ffff, MAC sa: 18a9.05ed.8b87, IP da: 255.255.255.255, IP sa: 0.0.0.0,
DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 18a9.05ed.8b87
250590: 2w2d: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (120)
250591: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/50 for pak. Was not set
250592: 2w2d: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Gi0/50
250593: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/50 for pak. Was not set
250594: 2w2d: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/50)
250595: 2w2d: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/50, MAC da: 18a9.05ed.8b87, MAC sa: 0015.2c31.4800, IP da: 192.168.120.104, IP sa: 192.168.120.1,
DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.120.104, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 18a9.05ed.8b87
250596: 2w2d: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet0/30.
I have no idea what i am missing??
could you please help me out to fix this issue as soon as possible.
You can reach me at [email protected]
Regards,
Azeem

ARP inspection Logs

Hi,
I have configured ARP inspection along with DHCP snooping.
All the computers are getting the IPs properly and building the snooping database. but once I disable and enable the network adapter, it starts discovering for IP address, in that process ARP inspection shows log in the switch says invalid ARP (Req) on the port with MAC address of the system and Microsoft Automatic IP even after IP address and the port number entry in the snooping database .
My cisco Model is 3560 and IOS ver is 15.0 (2) SE6
Any suggestions what is the issue.
Regards,
Azeem

Hi Bekzod,
have you disabled insertion of option-82
if not then type in your switch this command:-
no ip dhcp snooping information option
Can you post your configuration you have done for DHCP snooping.

Finder crashes when connecting to server (10.9.4)

I have been having an issue with my Mac Mini the last few days when it tries to connect to my local server.
The first few times I can access the server normally through Finder, but after a few goes Finder freezes (spinning beach ball on finder - other apps work ok) up completely and needs to be restarted. Once it has restarted and I re-open Finder, it freezes up again completely until I restart my computer. The same applies when I try to access the server from other apps (eg. when adding a photo from the server to something in Chrome).
I have reset PRAM, verified/repaired disk, run CCleaner.
Any solutions to this issue?
Mac Mini mid-2011
Processor 2.5 GHz Intel Core i5
Memory 4 GB 1333 MHz DDR3
Running 10.9.4

Sorry...
tcp:
    61269 packets sent
        14501 data packets (5423429 bytes)
        457 data packets (298568 bytes) retransmitted
        0 resends initiated by MTU discovery
        34229 ack-only packets (284 delayed)
        0 URG only packets
        0 window probe packets
        8915 window update packets
        3181 control packets
        0 data packets sent after flow control
        0 checksummed in software
            0 segments (0 bytes) over IPv4
            0 segments (0 bytes) over IPv6
    66665 packets received
        15538 acks (for 5408457 bytes)
        1286 duplicate acks
        0 acks for unsent data
        46049 packets (49418889 bytes) received in-sequence
        233 completely duplicate packets (175429 bytes)
        0 old duplicate packets
        1 packet with some dup. data (996 bytes duped)
        6329 out-of-order packets (8815198 bytes)
        0 packets (0 bytes) of data after window
        0 window probes
        70 window update packets
        166 packets received after close
        0 bad resets
        0 discarded for bad checksums
        0 checksummed in software
            0 segments (0 bytes) over IPv4
            0 segments (0 bytes) over IPv6
        0 discarded for bad header offset fields
        0 discarded because packet too short
    1604 connection requests
    50 connection accepts
    0 bad connection attempts
    0 listen queue overflows
    1622 connections established (including accepts)
    1613 connections closed (including 48 drops)
        37 connections updated cached RTT on close
        37 connections updated cached RTT variance on close
        15 connections updated cached ssthresh on close
    0 embryonic connections dropped
    15554 segments updated rtt (of 13699 attempts)
    544 retransmit timeouts
        20 connections dropped by rexmit timeout
        0 connections dropped after retransmitting FIN
    2 persist timeouts
        0 connections dropped by persist timeout
    0 keepalive timeouts
        0 keepalive probes sent
        0 connections dropped by keepalive
    2887 correct ACK header predictions
    40214 correct data packet header predictions
    79 SACK recovery episodes
    43 segment rexmits in SACK recovery episodes
    39243 byte rexmits in SACK recovery episodes
    256 SACK options (SACK blocks) received
    6226 SACK options (SACK blocks) sent
    0 SACK scoreboard overflow
    0 LRO coalesced packets
        0 times LRO flow table was full
        0 collisions in LRO flow table
        0 times LRO coalesced 2 packets
        0 times LRO coalesced 3 or 4 packets
        0 times LRO coalesced 5 or more packets
    3 limited transmits done
    106 early retransmits done
    20 times cumulative ack advanced along with SACK
udp:
    6116 datagrams received
        0 with incomplete header
        0 with bad data length field
        0 with bad checksum
        0 with no checksum
        0 checksummed in software
            0 datagrams (0 bytes) over IPv4
            0 datagrams (0 bytes) over IPv6
        41 dropped due to no socket
        2230 broadcast/multicast datagrams undelivered
        0 times multicast source filter matched
        0 dropped due to full socket buffers
        0 not for hashed pcb
        3845 delivered
    994 datagrams output
        69 checksummed in software
            0 datagrams (0 bytes) over IPv4
            69 datagrams (11318 bytes) over IPv6
ip:
    72011 total packets received
        0 bad header checksums
        0 headers (0 bytes) checksummed in software
        0 with size smaller than minimum
        0 with data size < data length
        3522 with data size > data length
            0 packets forced to software checksum
        0 with ip length > max ip packet size
        0 with header length < data size
        0 with data length < header length
        0 with bad options
        0 with incorrect version number
        0 fragments received
            0 dropped (dup or out of space)
            0 dropped after timeout
            0 reassembled ok
        71997 packets for this host
        14 packets for unknown/unsupported protocol
        0 packets forwarded (0 packets fast forwarded)
        0 packets not forwardable
        0 packets received for unknown multicast group
        0 redirects sent
    62678 packets sent from this host
        0 packets sent with fabricated ip header
        0 output packets dropped due to no bufs, etc.
        0 output packets discarded due to no route
        0 output datagrams fragmented
        0 fragments created
        0 datagrams that can't be fragmented
        0 tunneling packets that can't find gif
        0 datagrams with bad address in header
        0 packets dropped due to no bufs for control data
        71 headers (1428 bytes) checksummed in software
icmp:
    41 calls to icmp_error
    0 errors not generated 'cuz old message was icmp
    Output histogram:
        destination unreachable: 41
    0 messages with bad code fields
    0 messages < minimum length
    0 bad checksums
    0 messages with bad length
    0 multicast echo requests ignored
    0 multicast timestamp requests ignored
    Input histogram:
        destination unreachable: 14
    0 message responses generated
    ICMP address mask responses are disabled
igmp:
    0 messages received
    0 messages received with too few bytes
    0 messages received with wrong TTL
    0 messages received with bad checksum
    0 V1/V2 membership queries received
    0 V3 membership queries received
    0 membership queries received with invalid field(s)
    0 general queries received
    0 group queries received
    0 group-source queries received
    0 group-source queries dropped
    0 membership reports received
    0 membership reports received with invalid field(s)
    0 membership reports received for groups to which we belong
    0 V3 reports received without Router Alert
    2 membership reports sent
ipsec:
    0 inbound packets processed successfully
    0 inbound packets violated process security policy
    0 inbound packets with no SA available
    0 invalid inbound packets
    0 inbound packets failed due to insufficient memory
    0 inbound packets failed getting SPI
    0 inbound packets failed on AH replay check
    0 inbound packets failed on ESP replay check
    0 inbound packets considered authentic
    0 inbound packets failed on authentication
    0 outbound packets processed successfully
    0 outbound packets violated process security policy
    0 outbound packets with no SA available
    0 invalid outbound packets
    0 outbound packets failed due to insufficient memory
    0 outbound packets with no route
arp:
    5 ARP requests sent
    9 ARP replies sent
    0 ARP announcements sent
    98 ARP requests received
    6 ARP replies received
    104 total ARP packets received
    0 ARP conflict probes sent
    0 invalid ARP resolve requests
    0 total packets dropped due to lack of memory
    3 total packets dropped due to no ARP entry
    0 total packets dropped during ARP entry removal
    12 ARP entries timed out
    0 Duplicate IPs seen
ip6:
    793 total packets received
        0 with size smaller than minimum
        0 with data size < data length
        0 with data size > data length
            0 packets forced to software checksum
        0 with bad options
        0 with incorrect version number
        0 fragments received
            0 dropped (dup or out of space)
            0 dropped after timeout
            0 exceeded limit
            0 reassembled ok
        784 packets for this host
        0 packets forwarded
        0 packets not forwardable
        0 redirects sent
        0 multicast packets which we don't join
        0 packets whose headers are not continuous
        0 tunneling packets that can't find gif
        0 packets discarded due to too may headers
        0 forward cache hit
        0 forward cache miss
        0 packets dropped due to no bufs for control data
    126 packets sent from this host
        0 packets sent with fabricated ip header
        0 output packets dropped due to no bufs, etc.
        4145 output packets discarded due to no route
        0 output datagrams fragmented
        0 fragments created
        0 datagrams that can't be fragmented
        0 packets that violated scope rules
    Input histogram:
        TCP: 22
        UDP: 762
        ICMP6: 9
    Mbuf statistics:
        507 one mbuf
        two or more mbuf:
            lo0= 69
        217 one ext mbuf
        0 two or more ext mbuf
        0 failures of source address selection
icmp6:
    0 calls to icmp_error
    0 errors not generated because old message was icmp error or so
    0 errors not generated because rate limitation
    Output histogram:
        router solicitation: 4
        neighbor solicitation: 4
        neighbor advertisement: 4
        MLDv2 listener report: 7
    0 messages with bad code fields
    0 messages < minimum length
    0 bad checksums
    0 messages with bad length
    Input histogram:
        neighbor solicitation: 3
        neighbor advertisement: 6
    Histogram of error messages to be generated:
        0 no route
        0 administratively prohibited
        0 beyond scope
        0 address unreachable
        0 port unreachable
        0 packet too big
        0 time exceed transit
        0 time exceed reassembly
        0 erroneous header field
        0 unrecognized next header
        0 unrecognized option
        0 redirect
        0 unknown
    0 message responses generated
    0 messages with too many ND options
    0 messages with bad ND options
    0 bad neighbor solicitation messages
    3 bad neighbor advertisement messages
    0 bad router solicitation messages
    0 bad router advertisement messages
    0 bad redirect messages
    0 path MTU changes
ipsec6:
    0 inbound packets processed successfully
    0 inbound packets violated process security policy
    0 inbound packets with no SA available
    0 invalid inbound packets
    0 inbound packets failed due to insufficient memory
    0 inbound packets failed getting SPI
    0 inbound packets failed on AH replay check
    0 inbound packets failed on ESP replay check
    0 inbound packets considered authentic
    0 inbound packets failed on authentication
    0 outbound packets processed successfully
    0 outbound packets violated process security policy
    0 outbound packets with no SA available
    0 invalid outbound packets
    0 outbound packets failed due to insufficient memory
    0 outbound packets with no route
rip6:
    0 messages received
    0 checksum calcurations on inbound
    0 messages with bad checksum
    0 messages dropped due to no socket
    0 multicast messages dropped due to no socket
    0 messages dropped due to full socket buffers
    0 delivered
    0 datagrams output
pfkey:
    0 requests sent to userland
    0 bytes sent to userland
    0 messages with invalid length field
    0 messages with invalid version field
    0 messages with invalid message type field
    0 messages too short
    0 messages with memory allocation failure
    0 messages with duplicate extension
    0 messages with invalid extension type
    0 messages with invalid sa type
    0 messages with invalid address extension
    0 requests sent from userland
    0 bytes sent from userland
    0 messages toward single socket
    0 messages toward all sockets
    0 messages toward registered sockets
    0 messages with memory allocation failure

Everything is working (wifi out), but arch pc is not pingable

Hi there!
Please excuse any formal errors, this is my first post here. I tried to find some
helpful post in the forum but didn't get anything helping me with this situation.
Setup: Router(Fritzbox), Windows 7, Arch,....
On my Arch I have a RealTek 8192CE wifi module, which I got working very well
by disabling ips and fwlps)
Workin right now on the Arch and wifi is just working fine, but there is no chance
to get pinged by other machines.
My Settings:
(wicd is doing the wifi connection)
# /etc/rc.conf - Main Configuration for Arch Linux
# See 'man 5 rc.conf' for more details
# LOCALIZATION
HARDWARECLOCK="localtime"
TIMEZONE="Europe/Berlin"
KEYMAP="de-latin1-nodeadkeys"
CONSOLEFONT=
CONSOLEMAP=
LOCALE="de_DE.UTF-8"
DAEMON_LOCALE="yes"
USECOLOR="yes"
# HARDWARE
MODULES=()
USEDMRAID="no"
USEBTRFS="no"
USELVM="no"
# NETWORKING
HOSTNAME=idearch
INTERFACE=
address=
netmask=
broadcast=
gateway=
NETWORK_PERSIST="no"
# DAEMONS
DAEMONS=(syslog-ng dbus wicd mpd mpdscribble sshd crond)
ifconfig
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1
inet 192.168.178.34 netmask 255.255.255.0 broadcast 192.168.178.255
inet6 fe80::2210:7aff:fe39:466d prefixlen 64 scopeid 0x20<link>
ether 20:10:7a:39:46:6d txqueuelen 1000 (Ethernet)
RX packets 9846 bytes 5316090 (5.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9987 bytes 1929228 (1.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.178.1 0.0.0.0 UG 303 0 0 wlan0
192.168.178.0 0.0.0.0 255.255.255.0 U 303 0 0 wlan0
wicd.log
2012/07/10 22:48:18 :: enctype is wpa-psk
2012/07/10 22:48:18 :: Attempting to authenticate...
2012/07/10 22:48:18 :: ['wpa_supplicant', '-B', '-i', 'wlan0', '-c', '/var/lib/wicd/configurations/1caff7de7331', '-Dwext']
2012/07/10 22:48:18 :: ['iwconfig', 'wlan0', 'essid', '--', 'D-Link oben']
2012/07/10 22:48:18 :: iwconfig wlan0 channel 1
2012/07/10 22:48:18 :: iwconfig wlan0 ap 1C:AF:F7:DE:73:31
2012/07/10 22:48:18 :: WPA_CLI RESULT IS DISCONNECTED
2012/07/10 22:48:19 :: iwconfig wlan0
2012/07/10 22:48:19 :: WPA_CLI RESULT IS COMPLETED
2012/07/10 22:48:19 :: Running DHCP with hostname idearch
2012/07/10 22:48:19 :: /usr/sbin/dhcpcd -h idearch --noipv4ll wlan0
2012/07/10 22:48:19 :: dhcpcd[4600]: version 5.5.6 starting
2012/07/10 22:48:19 ::
2012/07/10 22:48:19 :: dhcpcd[4600]: wlan0: sending IPv6 Router Solicitation
2012/07/10 22:48:19 ::
2012/07/10 22:48:19 :: dhcpcd[4600]: wlan0: sendmsg: Cannot assign requested address
2012/07/10 22:48:19 ::
2012/07/10 22:48:19 :: dhcpcd[4600]: wlan0: broadcasting for a lease
2012/07/10 22:48:19 ::
2012/07/10 22:48:21 :: iwconfig wlan0
2012/07/10 22:48:23 :: dhcpcd[4600]: wlan0: sending IPv6 Router Solicitation
2012/07/10 22:48:23 ::
2012/07/10 22:48:23 :: iwconfig wlan0
2012/07/10 22:48:25 :: dhcpcd[4600]: wlan0: offered 192.168.178.34 from 192.168.178.1
2012/07/10 22:48:25 ::
2012/07/10 22:48:25 :: dhcpcd[4600]: wlan0: acknowledged 192.168.178.34 from 192.168.178.1
2012/07/10 22:48:25 ::
2012/07/10 22:48:25 :: dhcpcd[4600]: wlan0: checking for 192.168.178.34
2012/07/10 22:48:25 ::
2012/07/10 22:48:26 :: iwconfig wlan0
2012/07/10 22:48:27 :: dhcpcd[4600]: wlan0: sending IPv6 Router Solicitation
2012/07/10 22:48:27 ::
2012/07/10 22:48:28 :: iwconfig wlan0
2012/07/10 22:48:30 :: iwconfig wlan0
2012/07/10 22:48:31 :: dhcpcd[4600]: wlan0: leased 192.168.178.34 for 864000 seconds
2012/07/10 22:48:31 ::
2012/07/10 22:48:31 :: dhcpcd[4600]: forked to background, child pid 4659
2012/07/10 22:48:31 ::
2012/07/10 22:48:31 ::
2012/07/10 22:48:31 :: DHCP connection successful
2012/07/10 22:48:31 :: not verifying
2012/07/10 22:48:31 :: Connecting thread exiting.
2012/07/10 22:48:31 :: ifconfig wlan0
2012/07/10 22:48:31 :: IP Address is: 192.168.178.34
2012/07/10 22:48:32 :: Sending connection attempt result success
2012/07/10 22:48:32 :: ifconfig eth0
2012/07/10 22:48:32 :: Reading wired profile wired-default
2012/07/10 22:48:32 :: found ip in configuration None
2012/07/10 22:48:32 :: found broadcast in configuration None
2012/07/10 22:48:32 :: found netmask in configuration None
2012/07/10 22:48:32 :: found gateway in configuration None
2012/07/10 22:48:32 :: found search_domain in configuration None
2012/07/10 22:48:32 :: found dns_domain in configuration None
2012/07/10 22:48:32 :: found dns1 in configuration None
2012/07/10 22:48:32 :: found dns2 in configuration None
2012/07/10 22:48:32 :: found dns3 in configuration None
2012/07/10 22:48:32 :: found beforescript in configuration None
2012/07/10 22:48:32 :: found afterscript in configuration None
2012/07/10 22:48:32 :: found predisconnectscript in configuration None
2012/07/10 22:48:32 :: found postdisconnectscript in configuration None
2012/07/10 22:48:32 :: found encryption_enabled in configuration None
2012/07/10 22:48:32 :: found default in configuration True
2012/07/10 22:48:32 :: found dhcphostname in configuration idearch
What I know:
Until yesterday everything worked (could be caused by the install of the samb
server, but no hints in what way it could be the culprit)
tcpdump shows no incoming or failed transfers for ping or ssh attempts from other
units in the local network.
The error from outside is a "connection time out"
The router does not receive the hostname (I suspect this being essential since the
showed up before)
What I'd like to know:
Where can I search further, what log files should I go through?
Thanks a lot!
bene
Edit:
While browsing there are interesting entries in tcpdump:
ARP, Request who-has 192.168.178.34 tell fritz.box, length 46
Last edited by bene (2012-07-10 21:15:41)

Figured it out by myself, there were invalid ARP entries, due to an old firmware on the second access point.

%SW_DAI-4-DHCP_SNOOPING_DENY after dhcp server migration

Hello,
Some weeks ago, we migrated our DHCP server (from windows 2003 to windows 2012 with the new failover features in active/passive mode).
On our switches ; we have both arp inspection & dhcp snooping enabled. Since the migration, arp inspection is not working correctly : as soon as i activate the arp inspection on our client vlan (96) ; we get errors like : "Sep 1 11:50:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/29, vlan 96.([d4c9.efdf.710e/10.0.96.89/0000.0c07.ac60/10.0.127.254/11:50:39 GMT+1 Mon Sep 1 2014])
Sep 1 11:50:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Fa0/7, vlan 96.([d485.64b4.0068/10.0.97.214/0000.0000.0000/10.0.127.254/11:50:40 GMT+1 Mon Sep 1 2014])
If i have a look on the dhcp snooping binding table on the same switch :
NUKUH052#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
18:A9:05:F5:28:2B 10.0.97.101 418236 dhcp-snooping 96 FastEthernet0/40
6C:3B:E5:0D:B3:B2 10.0.96.184 2936 dhcp-snooping 96 FastEthernet0/36
10:60:4B:7C:A3:14 10.0.97.17 678739 dhcp-snooping 96 FastEthernet0/42
00:1F:29:02:AA:6B 10.0.98.53 678938 dhcp-snooping 96 FastEthernet0/37
88:51:FB:80:1B:E1 10.0.97.252 680212 dhcp-snooping 96 FastEthernet0/3
64:31:50:A3:F8:52 10.0.96.96 341484 dhcp-snooping 96 FastEthernet0/20
64:31:50:A3:D7:5A 10.0.97.209 677205 dhcp-snooping 96 FastEthernet0/6
6C:3B:E5:1A:8D:05 10.0.96.255 677165 dhcp-snooping 96 FastEthernet0/8
00:1F:29:02:AA:EF 10.0.96.207 678365 dhcp-snooping 96 FastEthernet0/1
00:23:7D:2F:72:E7 10.0.98.152 680376 dhcp-snooping 96 FastEthernet0/16
Total number of bindings: 10
Strange, interface FastEthernet0/7 is not in the table !!! and that s the same case for a lot of computers. (of course it s dhcp and not static ip address).
Extract of the switch configuration :
Standard port configuration
interface FastEthernet0/7
switchport access vlan 96
switchport mode access
switchport nonegotiate
switchport voice vlan 192
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
ip arp inspection limit rate 256 burst interval 10
no logging event link-status
mls qos trust dscp
no snmp trap link-status
storm-control broadcast level bps 1m
storm-control multicast level bps 1m
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
General switch settings
ip dhcp snooping vlan 96
ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option
ip dhcp snooping
>> ip arp inspection vlan 96 : as soon as i had this command i have the error messages.
I already :
* tested several software version
* only enabled a single dhcp server in the helper address
But i don't find the issue... the problem came when we started up the 2 new dhcp server (with the new 2012 dhcp failover feature). We have the same issue on all the switches of this LAN (the same config is running fine on the other factory we own).
Can you help me to solve that issue ?

Hi,
I just attached the file containing the filtered caps ; taken simultaneously on both dhcp servers. As we are using HSRP ; it looks like the dhcp messages are not doubled, but quadruplet.
Below the HSRP configuration on one of our both core switches :
interface Vlan96
ip address 10.0.127.252 255.255.224.0
ip helper-address 10.0.9.33
ip helper-address 10.0.9.32
no ip redirects
standby 96 ip 10.0.127.254
standby 96 timers 1 4
standby 96 priority 80
standby 96 preempt
arp timeout 720
And i also discovered that there are some microsoft bugs related to dhcp failover. Links here :
http://blogs.technet.com/b/teamdhcp/archive/2014/02/26/dhcp-failover-patch-to-address-a-reservation-issue-and-another-issue-related-to-failover-partner-not-accepting-state-transition-from-bad-address-gt-active-has-been-released.aspx
and
http://support.microsoft.com/kb/2831920
And the active dhcp windows server has not been updated since january 2013.... (so the update are not applied). I ll discuss with my colleague in charge of server to update it asap...

I am losing connection to internet...

I recently reset my DSL router and now when I open explorer I can not connect until I do a repair. I get a "local" connection only. I can browse to other pc's that are shared but can not get out to internet until I do a repair. After repair, I can surf for a while, but when I come back later or the next day, it is the same thing. I am seeing an error 12007 in diagnostics. It looks like this:
HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
info
HTTP: Successfully connected to www.microsoft.com.
info
HTTPS: Successfully connected to www.microsoft.com.
info
FTP (Passive): Successfully connected to ftp.microsoft.com.
DNS Client Diagnostic
DNS - Not a home user scenario
info
Using Web Proxy: no
info
Resolving name ok for (www.microsoft.com): yes
No DNS servers
DNS failure
Gateway Diagnostic
Gateway
info
The following proxy configuration is being used by IE: Automatically Detect Settingsisabled Automatic Configuration Script: Proxy Server: Proxy Bypass list:
info
This computer has the following default gateway entry(ies): 10.0.0.1
info
This computer has the following IP address(es): 10.0.0.2
info
The default gateway is in the same subnet as this computer
info
The default gateway entry is a valid unicast address
info
The default gateway address was resolved via ARP in 1 try(ies)
info
The default gateway was reached via ICMP Ping in 1 try(ies)
warn
Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue
action
Automated repair: Renew IP address
action
Releasing the current IP address...
action
Successfully released the current IP address
action
Renewing the IP address...
action
Successfully renewed the current IP address
info
This computer has the following default gateway entry(ies): 10.0.0.1
info
This computer has the following IP address(es): 10.0.0.2
info
The default gateway is in the same subnet as this computer
info
The default gateway entry is a valid unicast address
info
The default gateway address was resolved via ARP in 1 try(ies)
info
The default gateway was reached via ICMP Ping in 1 try(ies)
info
TCP port 80 on host 65.55.12.249 was successfully reached
info
The Internet host www.microsoft.com was successfully reached
info
The default gateway is OK
IP Layer Diagnostic
Corrupted IP routing table
info
The default route is valid
info
The loopback route is valid
info
The local host route is valid
info
The local subnet route is valid
Invalid ARP cache entries
action
The ARP cache has been flushed
IP Configuration Diagnostic
Invalid IP address
info
Valid IP address detected: 10.0.0.2
Wireless Diagnostic
Wireless - Service disabled
Wireless - User SSID
Wireless - First time setup
Wireless - Radio off
Wireless - Out of range
Wireless - Hardware issue
Wireless - Novice user
Wireless - Ad-hoc network
Wireless - Less preferred
Wireless - 802.1x enabled
Wireless - Configuration mismatch
Wireless - Low SNR
WinSock Diagnostic
WinSock status
info
All base service provider entries are present in the Winsock catalog.
info
The Winsock Service provider chains are valid.
info
Provider entry MSAFD Tcpip [TCP/IP] passed the loopback communication test.
info
Provider entry MSAFD Tcpip [UDP/IP] passed the loopback communication test.
info
Provider entry RSVP UDP Service Provider passed the loopback communication test.
info
Provider entry RSVP TCP Service Provider passed the loopback communication test.
info
Connectivity is valid for all Winsock service providers.
Network Adapter Diagnostic
Network location detection
info
Using home Internet connection
Network adapter identification
info
Network connection: Area Connection, Device=Broadcom 440x 10/100 Integrated Controller, MediaType=LAN, SubMediaType=LAN
info
Ethernet connection selected
Network adapter status
info
Network connection status: Connected
HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
warn
HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn
HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn
FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn
HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn
HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
warn
FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
error
Could not make an HTTP connection.
error
Could not make an HTTPS connection.
error
Could not make an FTP connection.
Does anyone know where I went wrong? Any help would be GREATLY appreciated.

#1 What is the brand and model of your modem?
#2 What is the brand and model of your router?
#3 What software firewall is on your computer?
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

Creating arp entry within stream module

HI all.
I'm tying to create an arp entry from within a stream modules stacked between eri and ip. My module is loaded on two interface (eri0 and eri1) and is use as a mangler for packet flowing through it. It take a packet on one interface do some processing on it if neccessary and put it on the other. My two interface are set in promiscious mode using dlpi promisc on message. This way the server become transparent to the network if placed in the critical path. My problem is the server must have only one ip address configured.
Ex:
Here there my two stream.
(1)
arp
ip -- 192.168.0.10
me
eri0
(2)
arp
ip -- 1.1.1.1
me
eri1
I got some host on the network on both side of my server which is in the critical path between the two segment of the same network. ( hope i'm clear). host on segment can talk to other on the other side perfectly. host on the side of the interface with the valid ip address can communicate with service running on the server but the one on the side with the dummy ip can't. This is because there is no arp entry in the table for this ip with the valid interface (eri0). If i add one myself it work fine. I must mention that there is an entry in the arp table for the host ip with the invalid interface and that i respond myself to the arp request comming from the side of the invalid interface. When a connection is tried to the eri1side i see arp request from my server on the read queue of my module comming from eri0 because of promiscious mode data feedback. I send this request on the other queue and when i get the reply I tried to sending M_PROTO DL_UNITDATA_IND on the queue of the valide interface. Whitout success as you could see.
I read on other post. That's was because of the fastpath routing. I actually see ioctl message comming downstream when i load my module ont both interface. I tried founding info about these but couldn't. Could i just respond to this ioctl with IOCNACK with the same data to disable? Is this a request to enable fast routing? (the first two byte are 0x4050 if i remember)
If you know what i'm trying to do is impossible please tell me.
Thank's.
Seb.

It is possible. I effectivly have to disable fast path for it to work. to disable you have to intercept M_IOCTL msg and qreply with M_IOCNAK - EINVAL if it's a DL_IOC_HDR_INFO ioc_cmd. This ioctl isn't the 0x4050???? one but is 0x0000440a.

Error ORA-20512: Invalid action CREATE on this object. (UD)???

Actually, I have two questions:
1.
I can't figure out why I have this error. I have a simple interactive report with form. On this form are 3 fields (a hidden ID field, a message_code field and a message_text field). I have a custom stored procedure to insert a message in the message table. I made a PL/SQL block for this in the page processes and made it conditional when the create button is pressed (process is the first page process). I unchecked the "insert" from Allowed Options in the ARP(DML) process, since I like to use it for the update and delete actions. The stored procedure is actually called, because when I input invalid data (exisiting error code, for example) the custom raise_application_error from the stored procedure is shown in Apex, as it should be.
What could be the problem here?
2.
Actually, what is the function of the "Allowed Operations" option in a DML process? What actually changes when checking or unchecking operations there? If I uncheck the "delete option", I would expect the delete button to dissapear, or at least the delete option would not work anymore, but this is not the case. Even when I uncheck "delete", I can still us the delete button and it still deletes the record. What use is this option then?

Those checkboxes tell you what the permitted operation are for the Data Manipulation Process against that table.
When you create a dml process using the wizard, if by default created the buttons for you. After it has been created, if you remove them, the button will not dissappear. As do they not appear if you didnt select a permitted operation in the wizard and later want to add the operation, so you will have to delete the buttons yourself (or create).
If you for example uncheck 'Delete' as a valid operation, despite the buttons remaining on the page, clicking on the button will not do anything, because you have not permitted that operation.
If you look in the the DML process, you will see:
Valid Update Request Values:     SAVE, APPLY CHANGES, UPDATE, UPDATE ROW, CHANGE, APPLY, APPLY%CHANGES%, GET_NEXT%, GET_PREV%
Valid Insert Request Values:     INSERT, CREATE, CREATE_AGAIN, CREATEAGAIN
Valid Delete Request Values:     DELETE, REMOVE, DELETE ROW, DROPSo, if you didn't un-check 'Delete' from permitted operation, but did delete the page button, I could just go into the address bar and type and of the follwing: javascript:apex.submit('DELETE'); javascript:apex.submit('REMOVE'); javascript:apex.submit('DELETE ROW'); javascript:apex.submit('DROP'); and that current row that I am looking at would be deleted. So it is important, if you don't want users to be able to remove rows, that uncheck that permitted operation as someone with a clue could just do what I have said.
Of course, you could also add conditions to the process that request is contained in: SAVE,CREATE ; and it wouldnt matter if I did do what I suggested above, the condition of the process would not be met, so it would run the delete operation anyway.
Ta,
Trent
Edited by: trent on Dec 10, 2010 4:31 PM

Form error Invalid numeric value 06-Jun-13 for column FECHA_CAPTURA

hi,
i have an APEX form that updates a table. The form items were created autmatically from the table fields. The 3rd field is a date field and therefore the corresponding date field on the form has a calender icon on its right side. i choose a date from this calender and when i hit the update button i receive this message:
Invalid numeric value 06-Jun-13 for column FECHA_CAPTURA
any ideas?

Hi,
Could we get you to change 1010319 to a meaningful handle -- I'm Howard.
In order to give helpful answers, we usually need more information including as much relevant information as possible upfront. This should include:
Full APEX version
Full DB/version/edition/host OS
Web server architecture (EPG, OHS or APEX listener/host OS)
Browser(s) and version(s) used
Theme used
Template(s) used / modified -- (Revelant/important for some problems.)
Region/item type(s)
and more detail about what you want to do.
Are you using ARP (Automatic Row Processing)?
Do you do any validations?
Could you make a trival 1-page application on apex.oracle.com duplicating the problem there?
Howard

ARP Cache Poison behavior by Apple TV

Norton Anti-Virus reports blocking an ARP Cache Poison attack against my home network. The reported source of the attack is the MAC number of the Apple TV on the network.
Whether Norton is "reliable" is apparently contentious in the support community. Several authors suggest, with authority, disabling Norton or the particular attack profile.
Whether that makes sense depends on what the Apple TV is innocently doing to be profiled as a network attack.
Even when supposedly "asleep" the Apple TV is doing something that meets the profile of an ARP Cache Poison attack. It did it every 30 minutes today, nine times yesterday, about 30 times day before and etc.
And if it is a design feature of the device, why is the device still performing despite having the activity continously blocked? What is the purpose of this attack-like activity, assuming it is not an attack? If it is an attack, how does one erase the programming initiating the attacks and still have an Apple TV?

Short answer: it is a false positive. I don't know exactly what causes it but I would guess Apple's Bonjour protocol, which is why you see something every 30 minutes. That's just a blind guess, but seems to fit.
Realize that a report of ARP poisoning wouldn't be likely on a private LAN, unless you got infected somehow. No known malware like this for iOS devices (and much harder to insert one on AppleTV versus an iPhone or iPad.) There are legitimate cases where ARP spoofing is used. And even Cisco has instances where they say to ignore that warning:
CSCsm25943—The meaning of the following error message on the controller is not clear. This message does not necessarily imply that any actual "ARP poisoning" is occurring. Rather, this message appears when a WLAN is configured for DHCP Required and a client (after associating to this WLAN) transmits an ARP message without first using DHCP. The client is unable to send or receive any data traffic until it performs DHCP through the controller.
DTL-1-ARP_POISON_DETECTED: STA [00:01:02:0e:54:c4, 0.0.0.0] ARP (op 1) received with
invalid SPA 192.168.1.152/TPA 192.168.0.206
Workaround: Perform the following steps:
• Verify that the client eventually does perform DHCP without undergoing an unacceptable outage. If the outage before performing DHCP is acceptable, then you can ignore this message.
I'm not saying that Norton's message is the same as Cisco's. Just that Cisco states that the meaning of why the message appears is not clear and sometimes is acceptable. And Cisco is the world leader in networking technology so if they don't always know why you get an ARP poisoning warning....
I won't go into the politics of "Norton bad" or whatever, but based on my experience (bias) with Norton in it's various forms for over 10 years, IMHO you can ignore this. Hopefully you can configure Norton to selectively ignore this. If not, you may have to use a different security program. Me personally, I do not recommend any "security suites" because they cause exactly this kind of additional headache. Just a "plain" antivirus program. Windows has a built-in firewall and most people will be using a hardware firewall at the office or home so the firewall in the "security suite" is extraneous.

Arp inspection not working on ASA

Folks,
I configured a transparent firewall on ASA. I have arp inspection enabled, with dynamic mac learning and dynamic arp. I am able to ping through the transparent firewall using 2 routers with the same mac-address. The firewall shows me that it is learning both the mac-addresses and also forwarding packets, can someone help me understand why this is happening?

For some reason it will not take the shun command...I've tried every combanation I could think of but it will always fail.. I'm guessing there is a bug or that its just not allowed in transparent mode..
You have to use the vlan before the number or it says invalid host.. when I do specify the vlan 2 it take it and then comes back with "Invalid vlan (2) shun failed

Invalid ARP

Similar Messages

Maybe you are looking for