Product bug: unknown unicast traffic storms from thunderbolt displays

Hi All -
Periodically, a random Thunderbolt display will launch a wire rate unknown unicast traffic storm into our LAN and only stop when unplugged from the network. This typically leads to unicast flooding or at least massive trunk congestion (we now use Cisco's storm-control and block (unknown) unicast).
In any given event the transmitted frames are all the same and appear to be random data from memory. They make no sense as traffic: they have garbage MAC addresses and hence the "unknown unicast traffic storm".
We have very roughly 100 and about 1% malfunction this way once a week. We don't think it's the MBP behind the display because we switched to Thunderbolt ethernet adapters (directly on the MPBs) and have not seen an incident for over 7 weeks.
Here is a LogicMonitor record; the trailing edge of the event was when we unplugged the display.
Here's what a packet capture looks like from the outage:
Here is trace data from a different event.
The destination MAC address is an ASCII string that spells out "vertcp". Although Wireshark identifies the frame type as LLC in the first example, we believe this to be a coincidence; it's a random 436-byte piece of firmware memory. A safe conclusion is that both the LLC tag and the completely invalid ethertype in the first event is just random. Nothing in the captured frames makes sense because they aren't ethernet frames, they are random data passed to the driver due to a bug.
Thanks
Branden

We have experienced the same issue with increasing frequency as more Thunderbolt displays are introduced into our environment in the last year.  On a gigabit port, the display has no problem generating 800mbit/s or more of traffic (~500kpps) - which is then flooded to every port in the same VLAN (~400 user ports in our case).  For 100mbit/s users, this essentially floods them off the network.
Here is a detail I don't see mentioned above -- this happens even when a laptop/computer is not connected to the display.  The first case we had of this happening was with a display that had no thunderbolt parent device attached.  Shutting down the switchport and no-shutting it (bouncing the link on the display) resolves this until the next time it happens.
It looks like whatever crap resides in various buffers is used to construct the resulting Ethernet frames.  I did not perform a packet capture this time, but the last time it happened the entire Ethernet header was null bytes with the body being mostly-null but the same random-looking noise in the rest of the frame.  The frame was interpreted by Wireshark and others as a type of Fiber Channel, but I think that was just the default case that matched many of the null characteristics.  The exact same frame was reflected in each packet sent (as opposed to each frame being different/randomized from the predecessor)

Similar Messages

  • Brand new 15" MacBook Pro Retina - unplugged from Thunderbolt Display and Keyboards today find keyboard alpha-numerics not working; except the function keys, delete key, tab key, command/ctrl/shift/alt/fn and arrow keys; and 7/8/9/u/o/j/l nudge cursor

    Brand new 15" MacBook Pro Retina - unplugged from Thunderbolt Display and Keyboards today find keyboard alpha-numerics not working; except the function keys, delete key, tab key, command/ctrl/shift/alt/fn and arrow keys; and 7/8/9/u/o/j/l produce cursor nudges.

    It's a new machine - and the Thunderbolt Display is meant to work with it. You need to just make an appointment at your local Apple Store and have them fix whatever is wrong.
    If you like, you could always try a SMC reset and a PRAM/NVRAM reset to see if either of those will get your keyboard back in working order...
    Clinton

  • Static from thunderbolt display speakers?

    There is a lot of static from thunderbolt display speakers - this monitor is brand new, so can't be worn out... Anything to fix it?

    I have a similiar problem in that my TB display makes a hissing whenever there is some type of connection between the MBP and the display.  It can be so noisy that I have to disconnect the $900 display.  Apple doesn't seem to care that it's customers have this problem as they've yet to provide a fix.  On one thread I saw they made someone pay $200 to fix the problem.

  • No sound from Thunderbolt Display after update to OS X 10.9.3

    So I updated to 10.9.3 this morning only to find there is no sound coming from my Thunderbolt Display after installation. Sound is now only audible from my MacBook Pro (late 2011). Also, see image below, there is no sign of any connected inputs other than my MBP now. I've shutdown and restarted a number of times, but still no audio from the display.
    Really starting to wonder why it's worth spending so much on Apple products now...

    I sent my TB Display in for repair. They had it almost a week and didn't find anything wrong with it. Instead they took in my MacBook Pro and replaced the logic board (2nd time it had been replaced) and the Display seems to be working fine now.
    ...except that for using 3rd party video conf apps, those apps only pick up the MBP camera (even though i try to change settings in app), not the TBD camera... but FaceTime and Skype find the TBD camera.
    Strange.
    Nickkett wrote:
    I Bought all Apple to be 100% compatible and "Just Work"...
    I completely agree with that sentiment. That's why we pay through the nose for their products, so it feels very bad when they don't just work.

  • Does exist a tool to discover where the unknown data traffic come from?

    I realized a lot of people experience Unknown data exchange without reason with all notification off with no localization with no push mail all accounts setted on manual and with no application running in background.There are people with a very big amount of unkown traffic but also people with a small amount of traffic like around 10kb every 5 minutes or maybe even less sometimes.Anyway is very strange i start to have this problem since i upgraded to 4.2.1 and i still have with no application installed without charging a back up just with the iphone as you take out from the box for the first time.
    Just few kb are not a problem for me since i have a huge dataplan but is strange this exchange of data i found all the 4.2.1 of my friends have this problem instead all the old firmware doesn't have this problem.
    I'm scared apple with this last firmware maybe is able to get private informations from iphone users.
    I know exist an application called dataman but is not useful in my opinion for what we are looking for cause it tell you just the amount of data you used but not the details of the connections.Would be great if some one would be able to find the recent log to internet with the details...
    I hope so!
    Thank you for your collaboration!
    Eddy

    Is impossible to not leave confidential information in the iphone since you send and recive email with mail application or you have all your contacts or you would like if is possible acces to your bank account safely...
    I have to tell you in my case for the unknow usage data apple is for sure the responsable cause i still have with a complete restore no backup and no apps installed a part the apple's preinstalled and not less important generate this traffic with different operators...
    Just few kb but anyway is strange i realized most of the 4.2.1 had this problem...

  • Missing sound + missing USB power (sometimes) from Thunderbolt Display when waking from sleep

    Hi
    Two problems - one of which is driving med crazy!!
    Have the latest updates, and the display is connected to a MBA (mid 2011).
    The two are almost alwayes connected, and every time I wake the MBA from sleep, the Thunderbold Display does not "support usb sound" - the sound options are only MBA and headphones. Only a restart will give me the option to use Thunderbolt as sound output: WHAT TO DO!?!?!!
    Sometimes when waking from sleep the USB in the Display seems to be "off" - the will not charge my devices (iPhone, iPad etc.). Only reboot seems to fix this... I have seen this in other discussions but not found a permanent solution - any thoughts?

    Same here but reinstalling OSX is a bit drastic. I solved the problem by deleting a preference.
    Go to Macintosh HD then System then Library then Preference panes then Sound.prefPane
    Delete Sound.prefPane (you need to type your password).
    Logout or restart.
    This has happend twice this week so WHY is this suddenly occurring?
    Hi,
    I found this solution in the forum, but I can't find it again. I had cut and pasted it into a text file, because it solved my problem. I just don't want to take any credit for it. It did work for me. I had no problems for 3-4 weeks with the monitor, I have had the sound problem since last Friday. Very frustrating.
    BSGINC

  • Thunderbolt Display Hum from USB ports

    A number of people on a number of threads have reported strange sounds (hum, hiss, crackle) coming from their Thunderbolt monitors. Some reflect electrical interference from other appliances. Some are the result of defects in the Thunderbolt firmware that has allegedly been fixed. A lot of the problems seem to be connected to the speakers. My problem has nothing to do with the speakers, but with a quite pronounced hum (nothing subtle -- you can hear it ten feet away) that arises unpredictably, and can be changed or even temporarily elminated by changing the screen angle. To me it sounded like what in other contexts would be a "ground hum," and perhaps that's what it is, I don't know. What I do know is that, if you have this particular problem, you can solve it by removing all USB devices from the ports on the back of the monitor. These work as ports, but they do produce the hum, at least on mine, regardless of what you plug into them.
    There's really no excuse for this kind of thing, but lets face it, Apple products can sometimes be surprisingly shoddy.

    See:  Thunderbolt Display Firmware 1.2 broke the USB inside the display.
    No solution yet.  I have a call in w/ Apple Support later today.  I recommend you all start calling them.
    Symptoms are:  TBD connected, Mac goes to sleep or hibernate...when it wakes, USB (including Audio) is inoperative.  Unplug/plug TBD back into Mac, item restores.
    SMC and PRAM resets do not work permanently...restarting Mac (whether MacBook, Mac Mini or MB Air) doesn't work permanently.
    The audio card in the TB Display is a USB device.  If you look in your system report you'll see that it's connected.
    Here's another thing you can try...Start FaceTime...You'll notice your FaceTime camera doesn't work (in the display) either.  It's USB also.
    I would strike a guess that the USB driver got borked on the firmware update.

  • Thunderbolt Display "dead" after firmware upgrade to Version 1.2

    Hi,
    I just run the Thunderbolt F/W update to 1.2 as offered by the AppStore Update. I have a 2014 MacPro with 2 Displays connected. In good faith I just confirmed to apply the update without much reading the fine print. The F/W update brought the system to a complete standstill. After 2 hours of waiting in the boot screen, I rebooted the system manually (5 secs power button). One of the Thunderbolt displays first just flickered, then decided to completely die. The System report says: unknown device in the Thunderbolt section. The 2nd display hasn't been updated during this procedure.
    How can the F/W of the 'dead' display be re-installed? I also tried to connect it to a MacBook pro. Same result. The display is entirely black.
    Any help or suggestion is much appreciated. Thanks!

    Put me on the list as well.
    I've had this TB display for two years and have had no issue with it. Clicked OK on the firmware prompt and now I have a $1000 paperweight/laptop charger.
    What I have tried:
    Reset SMC and NVRAM on my MBP.
    Unplugged the display from power and all peripherals and let it sit for ~24 hours before trying again.
    Downloaded the firmware installer from Thunderbolt Display Firmware Update v1.2. It tells me that no thunderbolt display is connected.
    So far nothing has produced a result.
    System report shows an unknown device on the TB port.
    A used logic board for the display is around USD$220 on ebay.
    I really wish I had not attempted to install the firmware now.

  • When I disconnect my MBP from my Thunderbolt display and reconnect, arrangement resets.

    I have a MBP Retina and a 27" Thunderbolt display. When I disconnect from the Thunderbolt display and then reconnect, my arrangement is reset and I have to set it again.  This has been happening for the last day.
    I am on OS X 10.10.1 Yosemite and I just updated the Thunderbolt firmware yesterday.

    Try:
    - Reset the iOS device. Nothing will be lost      
    Reset iOS device: Hold down the On/Off button and the Home button at the same time for at
    least ten seconds, until the Apple logo appears.
    - Unsync/delete all music and resync
    To delete all music go to Settings>General>Usage>Storage>Manage Storage>Music>Tap edit in upper right and then tap the minus sign by All Music
    - Reset all settings                            
    Go to Settings > General > Reset and tap Reset All Settings.
    All your preferences and settings are reset. Information (such as contacts and calendars) and media (such as songs and videos) aren’t affected.
    - Restore from backup. See:                                               
    iOS: Back up and restore your iOS device with iCloud or iTunes      
    - Restore to factory settings/new iOS device.                       
    However, there seems to be a bug in iOS 8 or iTunes 12.1.1 that cause this problem and I have not seen a solution

  • Unknown network traffic / router traffic monitoring

    So I got a new PC with windows 7 on it, and I installed this gadget that monitors network traffic, and it shows a lot of traffic that my local PC isn't showing, so I am thinking there is something running on the LAN that I can't see. I was looking to find a live, better program to monitor the actiontec router, for traffic. anyone know of anything that can maybe show me who is using all the bandwidth on my network?
    i have found software for Linksys, but nothing for the Actiontec.
    Thanks,
    Quasimodem
    Fios in Florida
    Solved!
    Go to Solution.

    Keep in mind that when looking at Wireshark (sniffer) software there are different types of traffic:
    Unicast
    Broadcast
    Multicast
    Unicast is traffic between two devices.  You will see the traffic between the PC with wireshark and another device on your local network such as a printer, another PC or the Router.  You should not see traffic between another PC and the Internet for example.  Using a phone as an example some calls you and the conversation is between you and the person on the other end of the phone.  This is unicast traffic.  Using defaults of the actiontec, IP address seen will be 192.168.1.1 for the router and 192.168.1.2-99 for devices on your network.  If you have the TV service, 192.168.1.100-1xx is used for the cable boxes.
    Broadcast traffic is traffic sent to all devices.  Its not directed toward a particular PC but rather usually looking for information.  In a sniffer trace you will see broadcast traffic. Going back to the phone example, someone makes an announcement on an overhead intercom system that is broadcast traffic.  Broadcast traffic will be seen as 192.168.255.255
    Multicast traffic is traffic from one device for many devices.  Usually used in video feeds.   Using the phone system as an example someone wishes to tell a group of people something so instead of calling each person up and telling them each person who wants the information joins a conference bridge.  Anyone is allowed to listen but only those that wish to get the information receive it.  Generally how multicast works.  Multicast traffic will be seen as IP address 224.x.x.x or something of the sorts where the address will be 2xx.x.x.x.  
    I hope this makes sense.  Probably more information than you needed but at least it will help you understand what wireshark is telling you.

  • ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

    Hello!
    We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
    All branch offices are connected to central asa though IPsec.
    The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
    According to the sheme:
    172.16.1.0/24 is on of the branch office LANs
    10.1.1.0/24 and 10.2.2.0/24 are central office LAN
    The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
    The aim is to
    restrict access from 172.16.1.0/24 to 10.1.1.0/24
    When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
    When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
    I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
    The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
    access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
    class-map tcp_bypass_map
    description "TCP traffic that bypasses stateful firewall"
    match access-list tcp_bypass_acl
    policy-map tcp_bypass_policy
    class tcp_bypass_map
    set connection advanced-options tcp-state-bypass
    service-policy tcp_bypass_policy interface outside
    service-policy tcp_bypass_policy interface inside
    Does anyone know, how to make TCP State Bypass works properly?

    I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
    You can still control access on center site by using vpn-filters.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
    Thanks
    Ajay

  • I recently bought a Macbook Air and a Thunderbolt Display and the laptop's power is supposed to come from the display, but the power cable on the display does not fit into the Macbook Air.

    I recently bought a 11" Macbook Air and a 27" Thunderbolt Display.The laptop's power is supposed to come from the display when connected, but the power cable on the display does not fit into the Macbook Air.

    If your MBair is a 2012 model, it has a Magsafe 2 power connection.  The monitor probably has the old magsafe connection.  If this is the case, you need this adapter.
    http://store.apple.com/us/product/MD504ZM/A?fnode=5a

  • Flooding of ip unicast traffic

    Hi there,
    I capture packets from the network from my workstation during 30 minutes without putting the port of the switch in monitor modus. So my guess was that i would only see broadcast messages and some unicast packets where the mac address is not know to the switch.
    But i saw some other packets that i could not explain why i can see them. I saw for example a Syn, Ack package which in my optinion i shouldn't see since the mac address should be known to the switch.
    I understand that if i see udp messages that it could be possible that i can monitor the whole traffic if the destination host never sends a packet since than the switch will never know where the machine is located and has to flood all the time. But for tcp? A Syn packet ok no problem but i think that i shouldn't see Ack of Syn, Ack....or everything else.
    I hope i was clear describing my problem and to resume i have the impression that sometimes packets are flooded even if the switch knows the destination port.
    Is there any way how i can verify this?
    Thanks a lot.
    regards,
    ycae

    I have seen a configuration of ISA servers where the server deliberately causes all unicast traffic to the server to be flooded. It does this as part of an elaborate load-balancing technique. The way it tricks the switch into flooding all its unicast traffic is by using its NIC MAC address as the source of its outgoing frames, but giving the client a different MAC address in its ARP response. The client sends its frames to a MAC address that the switch has never seen as source, so it floods them.
    There are several other reasons why a switch might flood. Are you sure these are MAC unicasts? The first byte of the destination MAC address ... is it even or odd? If it is odd, then you have a multicast or broadcast destination.
    Does that help?
    Kevin Dorrell
    Luxembourg

  • Layer 2 Bridging - Unknown Unicast - ARP or Flood?

    Hi all,
    I'm trying to understand when a layer-2 bridge (switch) would flood an
    unknown unicast frame. My understanding is that whenever a device
    needs to send a unicast frame, it would use ARP before sending, in
    which case the switch would already have the MAC address of the
    destination due to it's ARP reply. This seems that there would never
    be a scenario where the switch would flood a unicast frame out all
    ports. My book lists this as a valid scenario. Am I missing
    something, or is this only possible in situations where ARP isn't
    used? Thanks.

    Hi,
    as Rick said ARP cache timeout is 4 hours while L2 switch MAC address timeout is only 5 minutes by default.
    So it can happen there is the destination MAC missing in the switch forwarding table.
    See
    http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml
    and
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00807347ab.shtml#broadcast
    BR,
    Milan

  • Broadcast and unknown unicast packets

    Hi all,
    When the network looping occurs, what the most packets will be generated? Broadcast or unknown unicast packets?
    If I want to control the number of unknown unicast packets, which storm control should be configured? Broadcast or unicast storm control?
    Thanks a lot,
    Nitass

    A network loop occurs primarily due to broadcast packets or unicast packets that are sent out of multiple interfaces to the same destination device.
    for e.g if you had
    PC1
    |
    Switch 1
    | |
    Switch 2
    |
    PC2
    and you somehow assume that PC1 knew the exact mac address of pc2 and sent it a unicast frame, even then because STP is not running, it would cause a broadcast storm. This would be a unicast broadcast storm.
    Broadcast storm control will only control packets that are designated as broadcast i.e. all 1's. If you suspect the storm is being caused by unicast packets you may have to enable unicast control.
    HTH
    Please rate posts that help.
    Regards
    Arvind

Maybe you are looking for

  • Java inheritance and interface code help required

    please help me I need your 30 mins only,,, working on assignment and I am trying to understand interface and inheritance might not need even 30 mins, please add me on skype *[deleted by moderator]* Or add me on yahoo msgr *[deleted by moderator]* wai

  • Old apple monitor seems different than one in store

    I have, according to "about this mac", a 24-inch, late 2008 (1920 x 1200) display. I was considering getting a thunderbolt display and daisy chaining (with a hard drive in the middle). The thing is, I was looking at the display in the apple store, an

  • CALLING CUSTOME ROUTINE IN VOFM FROM CUSTOMIZED SCREEN INME21N

    Hi Experts, I need to update KBETR and KWERT values present in 'Conditions Tab' in Purchase Order (ME21N/ME22N). I have created a new customer tab in which we enter amount field and  percentage filed. When user enters some value in this and clicks on

  • Rotating a BufferedImage

    I have been rotating a BufferedImage using the following code where m_Image is the BufferedImage: AffineTransform trans = new AffineTransform(); AffineTransformOp op = null; int imgWidth = m_Image.getWidth(); int imgHeight = m_Image.getHeight(); tran

  • Web Dispatcher with SSL termination for EP

    Hi All, I want to configure SAP Web Dispatcher (installed on windows) for SSL termination scenario. I did all the configuration steps, SSL Basic, SSL termination steps without Metadata Exchange scenario. But , when i am trying to access the portal us