Re: [AFMUG] odd mt behavior
If the UBNT CPEs are M series (XM or XW), is WDS enabled on both the APs and CPEs? On Fri, Feb 10, 2017 at 12:28 PM -0700, "Cameron Crum" wrote: I have a customer who is having an odd issue on several MTs. His DHCP server is using radius to auth end users. The mac requests a lease, radius replies with accept and a Framed-IP, but the lease in the dchp server just says offered and never binds the lease. It is not with every customer, but it seems to happening randomly on several routers. version is 6.36. I had them look to see if was a particular end user router brand, or even the same type of cpe, but other than all cpe's being some flavor of ubnt set up in bridge mode, there doesn't seem to be a pattern. The dhcp server is set up on a bridge interface in the MT, add arp for leases, reply-only. I'm out of ideas on what would cause this. The ip is within the range of ips assigned to the interface. IP Pools is set to static only. Anyone seen this before?
Re: [AFMUG] odd mt behavior
yeah...tracked it to arp table full...something is flooding the arp list with every unused ip. On Fri, Feb 10, 2017 at 10:21 PM, Jesse Dupont < jesse.dup...@celeritycorp.net> wrote: > If the UBNT CPEs are M series (XM or XW), is WDS enabled on both the APs > and CPEs? > > > > > > On Fri, Feb 10, 2017 at 12:28 PM -0700, "Cameron Crum" > wrote: > > I have a customer who is having an odd issue on several MTs. His DHCP >> server is using radius to auth end users. The mac requests a lease, radius >> replies with accept and a Framed-IP, but the lease in the dchp server just >> says offered and never binds the lease. It is not with every customer, but >> it seems to happening randomly on several routers. version is 6.36. I had >> them look to see if was a particular end user router brand, or even the >> same type of cpe, but other than all cpe's being some flavor of ubnt set up >> in bridge mode, there doesn't seem to be a pattern. The dhcp server is set >> up on a bridge interface in the MT, add arp for leases, reply-only. I'm out >> of ideas on what would cause this. The ip is within the range of ips >> assigned to the interface. IP Pools is set to static only. Anyone seen this >> before? >> >
Re: [AFMUG] odd mt behavior
We have seen that behavior from misbehaving sonic wall (firewall) and some implementations of consumer firewalls (Watchguard, Sonicwall etc) will do this when the proxy arp is set to be on. Regards. Faisal Imtiaz Snappy Internet & Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net > From: "Cameron Crum" > To: af@afmug.com > Sent: Sunday, February 12, 2017 1:01:51 PM > Subject: Re: [AFMUG] odd mt behavior > yeah...tracked it to arp table full...something is flooding the arp list with > every unused ip. > On Fri, Feb 10, 2017 at 10:21 PM, Jesse Dupont < > jesse.dup...@celeritycorp.net > > wrote: >> If the UBNT CPEs are M series (XM or XW), is WDS enabled on both the APs and >> CPEs? >> On Fri, Feb 10, 2017 at 12:28 PM -0700, "Cameron Crum" < cc...@wispmon.com > >> wrote: >>> I have a customer who is having an odd issue on several MTs. His DHCP >>> server is >>> using radius to auth end users. The mac requests a lease, radius replies >>> with >>> accept and a Framed-IP, but the lease in the dchp server just says offered >>> and >>> never binds the lease. It is not with every customer, but it seems to >>> happening >>> randomly on several routers. version is 6.36. I had them look to see if was >>> a >>> particular end user router brand, or even the same type of cpe, but other >>> than >>> all cpe's being some flavor of ubnt set up in bridge mode, there doesn't >>> seem >>> to be a pattern. The dhcp server is set up on a bridge interface in the MT, >>> add >>> arp for leases, reply-only. I'm out of ideas on what would cause this. The >>> ip >>> is within the range of ips assigned to the interface. IP Pools is set to >>> static >>> only. Anyone seen this before?
Re: [AFMUG] odd mt behavior
Agree with Faisal, proxyin arp turned on somewhere. Track the MAC address that is replying to all the ARP and you will find your culprit. -- Larry Smith lesm...@ecsis.net On Sun February 12 2017 16:25, Faisal Imtiaz wrote: > We have seen that behavior from misbehaving sonic wall (firewall) > and some implementations of consumer firewalls (Watchguard, Sonicwall etc) > will do this when the proxy arp is set to be on. > > Regards. > > Faisal Imtiaz > Snappy Internet & Telecom > 7266 SW 48 Street > Miami, FL 33155 > Tel: 305 663 5518 x 232 > > Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net > > > From: "Cameron Crum" > > To: af@afmug.com > > Sent: Sunday, February 12, 2017 1:01:51 PM > > Subject: Re: [AFMUG] odd mt behavior > > > > yeah...tracked it to arp table full...something is flooding the arp list > > with every unused ip. > > > > On Fri, Feb 10, 2017 at 10:21 PM, Jesse Dupont < > > jesse.dup...@celeritycorp.net > > > > > wrote: > >> If the UBNT CPEs are M series (XM or XW), is WDS enabled on both the APs > >> and CPEs? > >> > >> On Fri, Feb 10, 2017 at 12:28 PM -0700, "Cameron Crum" < > >> cc...@wispmon.com > > >> > >> wrote: > >>> I have a customer who is having an odd issue on several MTs. His DHCP > >>> server is using radius to auth end users. The mac requests a lease, > >>> radius replies with accept and a Framed-IP, but the lease in the dchp > >>> server just says offered and never binds the lease. It is not with > >>> every customer, but it seems to happening randomly on several routers. > >>> version is 6.36. I had them look to see if was a particular end user > >>> router brand, or even the same type of cpe, but other than all cpe's > >>> being some flavor of ubnt set up in bridge mode, there doesn't seem to > >>> be a pattern. The dhcp server is set up on a bridge interface in the > >>> MT, add arp for leases, reply-only. I'm out of ideas on what would > >>> cause this. The ip is within the range of ips assigned to the > >>> interface. IP Pools is set to static only. Anyone seen this before?
Re: [AFMUG] odd mt behavior
Mac is all zeros On Feb 12, 2017 5:24 PM, "Larry Smith" wrote: > Agree with Faisal, proxyin arp turned on somewhere. > Track the MAC address that is replying to all the ARP > and you will find your culprit. > > -- > Larry Smith > lesm...@ecsis.net > > On Sun February 12 2017 16:25, Faisal Imtiaz wrote: > > We have seen that behavior from misbehaving sonic wall (firewall) > > and some implementations of consumer firewalls (Watchguard, Sonicwall > etc) > > will do this when the proxy arp is set to be on. > > > > Regards. > > > > Faisal Imtiaz > > Snappy Internet & Telecom > > 7266 SW 48 Street > > Miami, FL 33155 > > Tel: 305 663 5518 x 232 > > > > Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net > > > > > From: "Cameron Crum" > > > To: af@afmug.com > > > Sent: Sunday, February 12, 2017 1:01:51 PM > > > Subject: Re: [AFMUG] odd mt behavior > > > > > > yeah...tracked it to arp table full...something is flooding the arp > list > > > with every unused ip. > > > > > > On Fri, Feb 10, 2017 at 10:21 PM, Jesse Dupont < > > > jesse.dup...@celeritycorp.net > > > > > > > wrote: > > >> If the UBNT CPEs are M series (XM or XW), is WDS enabled on both the > APs > > >> and CPEs? > > >> > > >> On Fri, Feb 10, 2017 at 12:28 PM -0700, "Cameron Crum" < > > >> cc...@wispmon.com > > > >> > > >> wrote: > > >>> I have a customer who is having an odd issue on several MTs. His DHCP > > >>> server is using radius to auth end users. The mac requests a lease, > > >>> radius replies with accept and a Framed-IP, but the lease in the dchp > > >>> server just says offered and never binds the lease. It is not with > > >>> every customer, but it seems to happening randomly on several > routers. > > >>> version is 6.36. I had them look to see if was a particular end user > > >>> router brand, or even the same type of cpe, but other than all cpe's > > >>> being some flavor of ubnt set up in bridge mode, there doesn't seem > to > > >>> be a pattern. The dhcp server is set up on a bridge interface in the > > >>> MT, add arp for leases, reply-only. I'm out of ideas on what would > > >>> cause this. The ip is within the range of ips assigned to the > > >>> interface. IP Pools is set to static only. Anyone seen this before? >
Re: [AFMUG] odd mt behavior
When MT makes an ARP request I think it temporarily populates the table with all zeroes while waiting for a response. Those don't hang around very long though. You might do a packet capture to see if there is actually a response with all zeroes or if someone is scanning every IP. but since Faisal mentioned firewalls: I have seen one IT consultant who would set the WAN MAC on his customers' firewalls to all zeroes. -- Original Message -- From: "Cameron Crum" To: af@afmug.com Sent: 2/12/2017 7:22:44 PM Subject: Re: [AFMUG] odd mt behavior Mac is all zeros On Feb 12, 2017 5:24 PM, "Larry Smith" wrote: Agree with Faisal, proxyin arp turned on somewhere. Track the MAC address that is replying to all the ARP and you will find your culprit. -- Larry Smith lesm...@ecsis.net On Sun February 12 2017 16:25, Faisal Imtiaz wrote: > We have seen that behavior from misbehaving sonic wall (firewall) > and some implementations of consumer firewalls (Watchguard, Sonicwall etc) > will do this when the proxy arp is set to be on. > > Regards. > > Faisal Imtiaz > Snappy Internet & Telecom > 7266 SW 48 Street > Miami, FL 33155 > Tel: 305 663 5518 x 232 > > Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net > > > From: "Cameron Crum" > > To: af@afmug.com > > Sent: Sunday, February 12, 2017 1:01:51 PM > > Subject: Re: [AFMUG] odd mt behavior > > > > yeah...tracked it to arp table full...something is flooding the arp list > > with every unused ip. > > > > On Fri, Feb 10, 2017 at 10:21 PM, Jesse Dupont < > > jesse.dup...@celeritycorp.net > > > > > wrote: > >> If the UBNT CPEs are M series (XM or XW), is WDS enabled on both the APs > >> and CPEs? > >> > >> On Fri, Feb 10, 2017 at 12:28 PM -0700, "Cameron Crum" < > >> cc...@wispmon.com > > >> > >> wrote: > >>> I have a customer who is having an odd issue on several MTs. His DHCP > >>> server is using radius to auth end users. The mac requests a lease, > >>> radius replies with accept and a Framed-IP, but the lease in the dchp > >>> server just says offered and never binds the lease. It is not with > >>> every customer, but it seems to happening randomly on several routers. > >>> version is 6.36. I had them look to see if was a particular end user > >>> router brand, or even the same type of cpe, but other than all cpe's > >>> being some flavor of ubnt set up in bridge mode, there doesn't seem to > >>> be a pattern. The dhcp server is set up on a bridge interface in the > >>> MT, add arp for leases, reply-only. I'm out of ideas on what would > >>> cause this. The ip is within the range of ips assigned to the > >>> interface. IP Pools is set to static only. Anyone seen this before?
Re: [AFMUG] odd mt behavior
Thanks. On Mon, Feb 13, 2017 at 7:04 AM, Adam Moffett wrote: > When MT makes an ARP request I think it temporarily populates the table > with all zeroes while waiting for a response. Those don't hang around very > long though. > > You might do a packet capture to see if there is actually a response with > all zeroes or if someone is scanning every IP. > > but since Faisal mentioned firewalls: I have seen one IT consultant > who would set the WAN MAC on his customers' firewalls to all zeroes. > > > -- Original Message -- > From: "Cameron Crum" > To: af@afmug.com > Sent: 2/12/2017 7:22:44 PM > Subject: Re: [AFMUG] odd mt behavior > > Mac is all zeros > > On Feb 12, 2017 5:24 PM, "Larry Smith" wrote: > >> Agree with Faisal, proxyin arp turned on somewhere. >> Track the MAC address that is replying to all the ARP >> and you will find your culprit. >> >> -- >> Larry Smith >> lesm...@ecsis.net >> >> On Sun February 12 2017 16:25, Faisal Imtiaz wrote: >> > We have seen that behavior from misbehaving sonic wall (firewall) >> > and some implementations of consumer firewalls (Watchguard, Sonicwall >> etc) >> > will do this when the proxy arp is set to be on. >> > >> > Regards. >> > >> > Faisal Imtiaz >> > Snappy Internet & Telecom >> > 7266 SW 48 Street >> > Miami, FL 33155 >> > Tel: 305 663 5518 x 232 >> > >> > Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net >> > >> > > From: "Cameron Crum" >> > > To: af@afmug.com >> > > Sent: Sunday, February 12, 2017 1:01:51 PM >> > > Subject: Re: [AFMUG] odd mt behavior >> > > >> > > yeah...tracked it to arp table full...something is flooding the arp >> list >> > > with every unused ip. >> > > >> > > On Fri, Feb 10, 2017 at 10:21 PM, Jesse Dupont < >> > > jesse.dup...@celeritycorp.net > >> > > >> > > wrote: >> > >> If the UBNT CPEs are M series (XM or XW), is WDS enabled on both the >> APs >> > >> and CPEs? >> > >> >> > >> On Fri, Feb 10, 2017 at 12:28 PM -0700, "Cameron Crum" < >> > >> cc...@wispmon.com > >> > >> >> > >> wrote: >> > >>> I have a customer who is having an odd issue on several MTs. His >> DHCP >> > >>> server is using radius to auth end users. The mac requests a lease, >> > >>> radius replies with accept and a Framed-IP, but the lease in the >> dchp >> > >>> server just says offered and never binds the lease. It is not with >> > >>> every customer, but it seems to happening randomly on several >> routers. >> > >>> version is 6.36. I had them look to see if was a particular end user >> > >>> router brand, or even the same type of cpe, but other than all cpe's >> > >>> being some flavor of ubnt set up in bridge mode, there doesn't seem >> to >> > >>> be a pattern. The dhcp server is set up on a bridge interface in the >> > >>> MT, add arp for leases, reply-only. I'm out of ideas on what would >> > >>> cause this. The ip is within the range of ips assigned to the >> > >>> interface. IP Pools is set to static only. Anyone seen this before? >> >