How Can I Handle an ARP Learning Failure Caused by ARP Miss Messages?
Because of a small rate limit for ARP Miss messages, the device discards normal ARP Miss messages and cannot send ARP Request packets to destination networks according to the ARP Miss messages.
Because of a small CPCAR value for ARP Miss packets, the device discards normal ARP Miss packets and cannot send ARP Request packets to destination networks.
As the attacker sends lots of network segment scanning packets to the device, the device triggers a large number of ARP Miss messages, consuming considerable CPU resources. As a result, the device cannot process normal ARP Miss messages.
Perform the following steps to rectify the fault. Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, record your actions and provide the record to technical support personnel.
Run the display arp all command in the user view to check ARP entries.
If the MAC address field in an ARP entry displays Incomplete, the device has failed to learn this ARP entry. You can obtain IP address and interface information from the entry.
Obtain packet headers on the interface connecting the device to the user, and analyze the source IP addresses of packets.
- Run the display cpu-defend statistics packet-type arp-miss
all command in the user view to check whether the Drop value of ARP Miss packets increases.
If the count of dropped ARP Miss packets is 0, the device has failed to learn ARP entries because of a small rate limit for ARP Miss messages.
Go to step 5 to increase the rate limit for ARP Miss messages based on site requirements.
If the count of dropped ARP Miss packets is not 0, the rate of ARP Miss packets exceeds the CPCAR rate limit and excess ARP Miss packets are discarded. Check whether the CPCAR value for ARP Miss packets is set properly.
If no, go to step 4 to increase the CPCAR value of ARP Miss packets.
If yes, this problem occurs because the attacker is sending lots of network segment scanning packets to the device. The device then triggers a large number of ARP Miss messages, consuming considerable CPU resources and affecting normal message processing.
Locate the attacker based on the source address. Check whether the user hosts are infected by viruses and remove the viruses, or add the source address of attack packets to the blacklist or configure a blackhole MAC address entry to discard the packets sent by the attacker.
Run the car command in the attack defense policy view to increase the CPCAR value for ARP Miss packets.
Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.
The attack defense policy can take effect only after it is applied.
If the fault persists or the fault is rectified but CPU usage is still high, go to step 5 to decrease the rate limit of ARP Miss messages.
Run the display arp anti-attack configuration [ arpmiss-speed-limit | arpmiss-rate-limit ] command in the user view to check configuration of ARP Miss rate suppression.
- Run the arp-miss speed-limit source-ip [ ip-address ] maximum maximum command in the system view to configure the maximum rate of ARP Miss messages sent from a specified source IP address.
Run the arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ] command in the system view, VLAN view, or interface view to configure the rate limiting duration and rate limit value for ARP Miss messages.
In versions earlier than V200R003C00, the packet and interval parameters are not supported on the device and do not need to be configured.
If the fault persists, collect the following information and contact technical support personnel:
- Result of the preceding procedure
- Configuration file, logs, and alarms of the device