Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] ARP sanity check for ARP reply fails

0

0

Article ID: KB36349 KB Last Updated: 22 Dec 2020Version: 1.0
Summary:

When the Address Resolution Protocol (ARP) sanity check for ARP packets fails, a router cannot install or learn an ARP entry. This means that an incorrect reply was received from the peer device. In this case, the recommendation is to check the ARP reply content to identify if there are any errors.

This article shows how it is done.

 

Symptoms:

The router is unable to learn ARP for a peer even though the router has received ARP packets from the peer.

Check ARP statistics by using show system statistics arp. An example is given from the DUT router as follows:

{master:member0-re0}

labroot@mxvc> show system statistics arp member 0 |except "0 "    
Dec 02 17:56:10
member0:
--------------------------------------------------------------------------

arp:
         39315 datagrams received
         1532 ARP requests received
         1436 ARP replies received
         26 resolution request received
         1187 datagrams with multicast target address         <<Target mac address is multicast mac. 
         12235 datagrams for an address not on the interface  << Sender IP address is not correct(not with same subnet as DUT’s interface).
         116768 datagrams which were not for me               << Target mac address or target protocol address is not correct(not DUT’s interface mac or IP address).
         315 datagrams with source address duplicate to mine  << Sender IP address was duplicated to DUT's IP address.
         17978 packets discarded waiting for resolution
         16 packets sent after waiting for resolution
         1532 ARP replies sent
         16 Current Public ARP nexthops present
         36 Current IRI ARP nexthops present
         3 Current Management ARP nexthops present

{master:member0-re0}
labroot@mxvc> 

 

Solution:

To resolve this issue, perform the following:

  1. Check the peer ARP reply packet's content to determine whether it is correct or not.

    1. You can use monitor traffic interface to check the sender's IP address.

    2. You can use write-file option or print-hex option to check the content value for the target MAC address and IP address of the ARP reply. 

  2. Then if the ARP reply from the peer is found to be incorrect, ask the peer device to correct it.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search