RV325 System Log Entries - Kernel - kernel: The MAC table overflow. (Neighbour table overflow.)

michaeldowns1000 · ‎01-20-2015

Hello,

I have a RV325 Router. Entries in the System Log are repeated over and over.

The messages are:

2015-01-20, 04:11:59	Kernel	kernel: The MAC table overflow. (Neighbour table overflow.)
2015-01-20, 04:11:59	Kernel	last message repeated 8 times
2015-01-20, 05:52:19	Kernel	kernel: The MAC table overflow. (Neighbour table overflow.)

Packet traces point to thousands of ARP packets coming from the ISP to my WAN port. Most of the ARP packet sources/destinations are not even close to my ISP DHCP assigned IP.

1) What is going on with these ARP packets? Should the ISP be flooding my WAN port with all these ARP Packets? In other words, is this normal? The ISP claims it is. From my understanding it is not normal.

2) Is this an attack on the ISP or my private net? See the Cisco paper: MAC Address Overflow Attack and Mitigation Techniques White Paper http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603836.html

3) Is this the result of some other malware attack?

4) Multiple types of firewall software, A.V. and etc. are utilized - and based on the packet traces, it seems unlikely that there is malware on my private net. Is there a way to diagnose further for such attacks/malware?

5) is there a way to send commands to the RV325 to increase cache for the MAC table/Neighbour table?

Any suggestions would be appreciated.

Regards,

Michael Downs

suckitcisco · ‎04-12-2017

While those IP ranges might look odd, looking up the ASN they all seem to be the same 20001 which is "ROADRUNNER-WEST - Time Warner Cable Internet LLC, US". I doubt this is an attack as rather just extremely crappy network management. I have had the same issue with Comcast. Apparently proper network segmentation is something few ISPs can't do well. It would be great if we had a firewall option to drop some of this ARP noise. I wouldn't hold my breath, there are some many bugs that have been allowed to continue across firmware releases that expecting a fix to something that doesnt really impact functionality is too much to expect.

Unfortunately it seems we are at a point that unless someone can find a good way to hack a third party firmware onto the hardware I would have a hard time recommending anyone deal with the bugs and design flaws of the rv* routers.

shahed.sherkat · ‎07-12-2018

I have had the same issue with Cisco RV340 today. I believe there is an issue when both WAN links are. I did not have a chance to investigate further to find out whether the issue is a bug in RV340 firmware or it was because both of my links are from the same provider ( I know it's not ideal!), but I could witness lots of arp messages being received from the ISP in such way that it killed the arp cache and causing the RV340 to act weirdly. Disabled the secondary WAN link for now to investigate further later.

Ggiordantx1 · ‎09-26-2018

It does sort of disappoint me that they drop or slow roll support on these smaller devices. I guess it's just not good economics for them. I would think one full time guy could easily keep on top of several of these devices for upkeep... But, hey, I'm no big CEO with shareholders to answer to.

I do like the RV in general, but with the FW updates rolling out so infrequently, and occasional weird random crashes etc,

I have been giving consideration to switching to Ubiquity when my RV gives up the ghost. Any comments or thoughts as a comparison for support on their SO HO boxes?