cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3798
Views
0
Helpful
5
Replies

Dynamic ARP Inspection ports err-disable

Captain HoOmi
Level 1
Level 1

Hi all,

 

Since yesterday, we're having this weird issues that switch ports are going to err-disable due to exceed arp packets:

We're seeing these logs:

  • 2:10:42 PM
     
    33821 Mar 3 14:10:41.456: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on
  •  
    3/3/2020
    2:10:12 PM
    33818 Mar 3 14:10:11.459: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/0/2, putting Gi3/0/2 in err-disable state
     
  •  
    3/3/2020
    2:10:12 PM
    33817 Mar 3 14:10:11.459: %SW_DAI-4-PACKET_RATE_EXCEEDED: 103 packets received in 362 milliseconds on Gi3/0/2.
     
    We never had this problem before. Our configuration is to limit arp pps to 100 packets and access ports untrusted.
     
    Any idea what might be causing this and how to narrow down to root cause? We're seeing lots of arp requests on wireshark as well. Switches are 3850.
     
    Any help would be appreciated
** Please rate this post or accept the solution if it helped! :) **
5 Replies 5

johnd2310
Level 8
Level 8

Hi,

This could be caused by your Windows clients? Are you running Windows 7 or Windows 10?  Has there been a change to the Windows clients e.g. upgrade from Windows 7 to Windows 10, updates to Windows

 

Thanks

John

**Please rate posts you find helpful**


@johnd2310 wrote:

Hi,

This could be caused by your Windows clients? Are you running Windows 7 or Windows 10?  Has there been a change to the Windows clients e.g. upgrade from Windows 7 to Windows 10, updates to Windows

 

Thanks

John


Windows 10 and no changes ( except regular updates) . Only change to clients is a new antivirus solution (Crowdstrike) which has been recently rolled out to a pilot group. Could this be caused by that?

** Please rate this post or accept the solution if it helped! :) **

Hi,

 

If the machines causing this are part of the pilot group that has the new software, then that could be the cause. If this is isolated to a few machines, then look at these machines.

 

Thanks

John

 

**Please rate posts you find helpful**

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    There is something weird with those hosts.Take one, make packet captures, stop processes and see which process or windows service is responsible.

 

Regards,

Cristian Matei.

Raja4u
Level 1
Level 1

Hello,

 

Can you please try to apply "ip arp inspection trust" on any of the ports and test.. IF still no luck then, share the interface configuration to better understand.

 

Thanks,

Raja

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: