4 Replies Latest reply on May 3, 2016 1:22 PM by foonly

    IPAM - Scope 100% used with all Zero MACs

    maniman

      Hi,

      I am facing a weird problem. IPAM is reporting a few subnets as 100% used, and in the MAC address field it shows 00-00-00-00-00-00 for all IPs,See attached image below:??  Neighbor scanning is enabled for these subnets.

      The device is an Extreme Networks BlackDiamon 6800 series switch. Any clue why is it happening.

       

      TIA!

       

       

      ~Mani

      IPAM 4.0

        • Re: IPAM - Scope 100% used with all Zero MACs
          sathya4046

          Hi Mani,

           

          All these MACs should be from neighbor scanning, where the neighbor device has 'incomplete' arp entries.

           

          You can follow the below steps to resolve it.

           

          1. Stop all Orion Services

           

          2. Edit the Jobs configuration file is usually in

          "c:\Program Files\SolarWinds\Orion\IPAM\SolarWinds.IPAM.Jobs.dll.config"

          Find there a section like:

           

          <add key="NeigborScanJob.SkipEmptyMAC" value="False"/>

          To

          <add key="NeigborScanJob.SkipEmptyMAC" value="True"/>

           

          5. Start all Orion Services

          6. trigger the subnet scan.

           

          Thanks,

          Sathya.T

          1 of 1 people found this helpful
            • Re: IPAM - Scope 100% used with all Zero MACs
              foonly

              This did not work for us.

               

              When I look at the history of many of the IP's, I often never see a real IP and MAC. I only see the 00-00-00-00-00-00, and the status is set to Used, and the Source for Update is Subnet Neighbor Scan or Neighbor Scan.

               

              Elsewhere in Thwack, people have said that this results from an ARP timeout. ARP timeout certainly does not mean that the IP was ever valid - it only means that something tried to reach the IP, and the ARP timed out. There are many management apps, such as Nessus, that do scans and result in ARP timeouts.

               

              If these 00-00-00-00-00-00 entries are indeed the result of ARP timeouts, I think would be a mistake in the IPAM design. So maybe they are caused by something else. The algorithms for DHCP, ICMP, and Neighbor scanning need to be documented.

               

              The manual also says:

               

              "IPAM utilizes a feature called Neighbor Scanning as an additional method of retrieving information. Neighbor Scanning pulls information from the ARP table of neighboring devices when ICMP and SNMP is blocked or disabled."

               

              We do indeed have ICMP enabled with default settings (2 pings per address, 200msec between pings, and timeout of 2.5 seconds), and manual ping works from Orion to known IPs on the subnet. We are scanning through multiple firewalls that allow all types of ICMP to and from management nets, but no NATs. The routers are dual Nexus connected by vPC. Other Solarwinds scan tools from the Engineer's Toolset work ok.

               

              So I have set the Transient Duration as low as possible to 0.25 days to see if that clears the Transient status over the weekend.