TRC is primarily funded by ad revenue. If you like the content you find here, please do not block our ads. Thank you.
Results 1 to 5 of 5

Thread: Network puzzler

  1. #1
    Really Bored KungFooBob's Avatar
    Join Date
    Aug 2012
    Location
    The Forest Moon of Endor
    Posts
    4,408
    Like
    4
    Liked 12 in 11 posts

    Default Network puzzler

    Got a Sonicwall UTM.

    It crashes randomly, usually a week or so apart. Between Support and myself we think we've narrowed it down to a potential broadcast storm that builds and builds until it brings the box down.

    So...

    In the Packet monitor I'm seeing lots of ARP from an IP address 192.168.0.120. This is not one on my subnets, it's not any of my configured VLANS.

    Using the ARP cache on my switches I've narrowed it down to a specific switch and port... which is connected to a box working as a domain controller.

    It has two NIC's, one is disabled (and set to DHCP) the other has a single IP 192.168.151.1.

    The MAC's of the cards are a4badb-42a627 and a4badb-42a628 respectively.

    The real mystery is that the Sonicwall reckons the request from 192.168.0.120 are from MAC a4badb-42a629!

    It's very confusing, I'm thinking I've got a evil undead NIC or a poltergeist or something.


  2. TRC is primarily funded by ad revenue. If you like the content you find here, please do not block our ads. Thank you.
  3. #2
    Really Bored KungFooBob's Avatar
    Join Date
    Aug 2012
    Location
    The Forest Moon of Endor
    Posts
    4,408
    Like
    4
    Liked 12 in 11 posts

    Default Re: Network puzzler

    Hmm, 192.168.0.120 is the address assigned to iDRAC. I've never configured iDRAC and I'm not aware of the server having a remote management card and if it has it's not connected to the network!

    How odd.

  4. #3
    Should Get Out More Greenman's Avatar
    Join Date
    Jan 2008
    Location
    On the Dancefloor.
    Posts
    12,393
    Like
    4
    Liked 12 in 8 posts

    Default Re: Network puzzler

    It's not some sort of virtual card that is using that IP is it...?

    Could you not try disconnecting each port at a time and see if that stops the ping requests. Can you not put an error disabled policy on your ports so that the port stays disabled if the software detects a broadcast storm?

    This is what we do. Our main routers all have time out error disabled ports so that if a loopback is detected and a broadcast storm is discovered on a port that port shuts down and is disabled until brought back up manually.
    Register to join this UK Motorbike Forum, start a motorbike blog, or use our free motorbike classifieds!

  5. #4
    Really Bored KungFooBob's Avatar
    Join Date
    Aug 2012
    Location
    The Forest Moon of Endor
    Posts
    4,408
    Like
    4
    Liked 12 in 11 posts

    Default Re: Network puzzler

    It was a virtual management card.

    I had to enabled the disabled NIC, give it an ip on the 192.168.0.1/24 subnet and then I could access the web interface on the iDRAC card itself... and disable it.

    I don't think it was this that was causing the problem in the end.

    It's the first time I've used the Packet Monitor for looking at ARP, if it wasn't for that I'd never have know the iDRAC was active (I've got a shit load of dell stuff but never configure the remote management on them).

  6. #5
    Not Much To Do Anglomaniac's Avatar
    Join Date
    Apr 2013
    Location
    South of the Watford Gap
    Posts
    814
    Like
    0
    Liked 0 in 0 posts

    Default Re: Network puzzler

    Quote Originally Posted by KungFooBob View Post
    It was a virtual management card.

    I had to enabled the disabled NIC, give it an ip on the 192.168.0.1/24 subnet and then I could access the web interface on the iDRAC card itself... and disable it.

    I don't think it was this that was causing the problem in the end.

    It's the first time I've used the Packet Monitor for looking at ARP, if it wasn't for that I'd never have know the iDRAC was active (I've got a shit load of dell stuff but never configure the remote management on them).
    i manage 1000's of Dell servers, the iDRAC is awesome. worth reading up on.
    Register to join this UK Motorbike Forum, start a motorbike blog, or use our free motorbike classifieds!

Go Back to Forum My Forum