cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
350
Views
0
Helpful
5
Replies
Highlighted
Beginner

Dynamic ARP Inspection ports err-disable

Hi all,

 

Since yesterday, we're having this weird issues that switch ports are going to err-disable due to exceed arp packets:

We're seeing these logs:

  • 2:10:42 PM
     
    33821 Mar 3 14:10:41.456: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on
  •  
    3/3/2020
    2:10:12 PM
    33818 Mar 3 14:10:11.459: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/0/2, putting Gi3/0/2 in err-disable state
     
  •  
    3/3/2020
    2:10:12 PM
    33817 Mar 3 14:10:11.459: %SW_DAI-4-PACKET_RATE_EXCEEDED: 103 packets received in 362 milliseconds on Gi3/0/2.
     
    We never had this problem before. Our configuration is to limit arp pps to 100 packets and access ports untrusted.
     
    Any idea what might be causing this and how to narrow down to root cause? We're seeing lots of arp requests on wireshark as well. Switches are 3850.
     
    Any help would be appreciated
** Please rate this post or accept the solution if it helped! :) **
5 REPLIES 5
Highlighted
Collaborator

Hi,

This could be caused by your Windows clients? Are you running Windows 7 or Windows 10?  Has there been a change to the Windows clients e.g. upgrade from Windows 7 to Windows 10, updates to Windows

 

Thanks

John

**Please rate posts you find helpful**
Highlighted


@johnd2310 wrote:

Hi,

This could be caused by your Windows clients? Are you running Windows 7 or Windows 10?  Has there been a change to the Windows clients e.g. upgrade from Windows 7 to Windows 10, updates to Windows

 

Thanks

John


Windows 10 and no changes ( except regular updates) . Only change to clients is a new antivirus solution (Crowdstrike) which has been recently rolled out to a pilot group. Could this be caused by that?

** Please rate this post or accept the solution if it helped! :) **
Highlighted

Hi,

 

If the machines causing this are part of the pilot group that has the new software, then that could be the cause. If this is isolated to a few machines, then look at these machines.

 

Thanks

John

 

**Please rate posts you find helpful**
Highlighted
Collaborator

Hi,

 

    There is something weird with those hosts.Take one, make packet captures, stop processes and see which process or windows service is responsible.

 

Regards,

Cristian Matei.

Highlighted
Beginner

Hello,

 

Can you please try to apply "ip arp inspection trust" on any of the ports and test.. IF still no luck then, share the interface configuration to better understand.

 

Thanks,

Raja

 

Content for Community-Ad