This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Strange ARP traffic from Orion Server

Our Core 6509 has been seeing alot of high CPU. We turned on terminal monitor and saw all kinds of ARP requests of Public IP addresses coming from the Orion server (10.62.5.252 in the lines below). Any ideas? Our network is all RFC 1918.

 

Also the discards on the unrouted vlan that the Orion server resides has had a 1000% increase in discards, to several hundred million per day. Could these two items be related?

 

 

Apr 28 01:09:39 CST: IP ARP: sent req src 10.62.5.2 0017.0f5b.9800,
                 dst 10.62.5.209 0000.0000.0000 Vlan5
Apr 28 01:09:39 CST: IP ARP: rcvd req src 10.62.5.21 0014.5e3e.9318, dst 10.62.5.20 Vlan5
Apr 28 01:09:39 CST: IP ARP: sent req src 10.62.5.2 0017.0f5b.9800,
                 dst 10.62.5.77 0000.0000.0000 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent req src 10.62.5.2 0017.0f5b.9800,
                 dst 10.62.5.209 0000.0000.0000 Vlan5
Apr 28 01:09:41 CST: ARP HA: process message ARP_HA_EV_A_SYNC_TIMER(6) at state ARP_HA_ST_A_UP_SYNC(3) (ptr = 0, value = 0)
Apr 28 01:09:41 CST: ARP HA: syncing 6 entries to standby
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f54, dst 10.61.33.69 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 10.61.33.69 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f54 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 60.50.49.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 60.50.49.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 60.14.153.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 60.14.153.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 78.134.25.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 78.134.25.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 59.175.169.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 59.175.169.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 123.23.173.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 123.23.173.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 59.93.82.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 59.93.82.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 59.92.158.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 59.92.158.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 59.92.150.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 59.92.150.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 80.148.27.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 80.148.27.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 59.51.229.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 59.51.229.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
Apr 28 01:09:41 CST: IP ARP: rcvd req src 10.62.5.252 0014.5e36.9f55, dst 58.245.219.0 Vlan5
Apr 28 01:09:41 CST: IP ARP: sent rep src 58.245.219.0 0000.0c07.ac00,
                 dst 10.62.5.252 0014.5e36.9f55 Vlan5
  • Do you happen to have any static route (including the default) on your 6509 configured with a next-hop of a VLAN or ethernet interface?  If you have any static routes configured with the next hop of a VLAN interface or an ethernet interface (FastEthernet1/4, GigabitEthernet1/1, etc.), then you should remove it and configure the next-hop to be an IP address.  Configuring next-hop to be a broadcast media interface will cause the router to ARP for every destination, as it believes it to be local:

    www.cisco.com/.../technologies_tech_note09186a00800ef7b2.shtml

  • To bleearg13s' point, the router actually replying to the arp requests is configured for proxy-arp - try turning that off (Although you might lose some networking)!

    It's odd that the Orion server itself is sending these requests, however.  I'd check to see if it actually has a default gateway assigned.