05-29-2012 07:54 AM - edited 07-03-2021 10:13 PM
Can someone explain me the concept of an orphan packet?
and why i'm asking this? Because i´m seing in the syslog server the following msg:
*dtlArpTask: May 28 11:48:12.117: %DTL-4-ARP_ORPHANPKT_DETECTED: dtl_net.c:1425 STA(Target MAC Address) [,] ARP (op ARP REQUEST) received with invalid SPA(Source IP Address) 169.254.146.36/TPA(Destination IP Address) 169.254.146.36
Can anyone explain me this?
Solved! Go to Solution.
05-30-2012 05:11 AM - edited 02-06-2018 09:41 PM
David,
The message means that there is a packet that does not belong to any valid registered client on the AP/WLC.
This can happen if a client was able to pass authentication but not able to get an IP address.(which looks like your case above where you have 169.254.x.x IP address).
If a client could not get an IP address from DHCP, it will automatically fall back to use APIPA IP address (169.254..etc). Because this IP is not valid (Not configured on any VLAN on the WLC), the client traffic that is sent through the WLC with invalid source IP will be considered orphan traffic.
This very scenario also sometimes happens when a client is connecting to a web-auth WLAN and the session-timeout expires while the DHCP enabled. In this case the L2 may try to re-connect automatically but the client is not releasing its IP before connectivity so, the WLC considers the client having an IP address already and prevents it from connectivity. If session-timeout expires, the client traffic will be considered orphan until it reconnects at L2 back again. (This is actually a sbuset of what fbarboza expressed above).
In your case your clients have bad ip address. assign them a good ip address and all will be fine.
HTH
Amjad
05-29-2012 11:42 AM
Hi ,
When a client associates with a WLAN, it can start trying to pass traffic without having passed authentication yet. Windows devices/Apple devices are especially chatty. If a client sends traffic before a controller is ready to allow it, i.e. they have not passed authentication, you see an Orphan Packet message.
When you see an orphan packet message showing the IP address of the client changing,
that means that the controller was receiving Orphan Packets from that clients
mac address with the first IP address and then started receiving packets
from the same client with a different IP address. If a client changes SSIDs then it is a pretty common message since the client would have to pass authentication, get a new IP, etc. You could enable Fast SSID Change under CONTROLLER>General for the WLC GUI.
05-30-2012 05:11 AM - edited 02-06-2018 09:41 PM
David,
The message means that there is a packet that does not belong to any valid registered client on the AP/WLC.
This can happen if a client was able to pass authentication but not able to get an IP address.(which looks like your case above where you have 169.254.x.x IP address).
If a client could not get an IP address from DHCP, it will automatically fall back to use APIPA IP address (169.254..etc). Because this IP is not valid (Not configured on any VLAN on the WLC), the client traffic that is sent through the WLC with invalid source IP will be considered orphan traffic.
This very scenario also sometimes happens when a client is connecting to a web-auth WLAN and the session-timeout expires while the DHCP enabled. In this case the L2 may try to re-connect automatically but the client is not releasing its IP before connectivity so, the WLC considers the client having an IP address already and prevents it from connectivity. If session-timeout expires, the client traffic will be considered orphan until it reconnects at L2 back again. (This is actually a sbuset of what fbarboza expressed above).
In your case your clients have bad ip address. assign them a good ip address and all will be fine.
HTH
Amjad
05-30-2012 05:30 AM
Amjad,
I must say that this is an issue only with ipads on my network. At this point i´ve changed the "Fast SSID change" to see if this problem would stop as suggested by fbarboza.
Just give me a couple of hours and i will have a report from users to see if this change has an impact.
05-30-2012 09:09 AM
Are you using web auth for the WLAN?
Sent from Cisco Technical Support iPad App
05-31-2012 02:16 PM
Guys,
fast ssid change has made a difference in the network and yes i´m using web auth for a guest wlan.
DS
06-02-2012 10:34 AM
Hi,
I just wanted to confirm if the fast ssid change help you and if the issues continues or not.
Also dont forget to rate if the answer worked.
11-22-2013 01:43 AM
Do you happen to know how long this supposed delay is, with fast ssid disabled?
Could there be any negative effect of enabling this?
I'm asking because we have more and more mobile phones/tablets.
11-22-2013 04:09 AM
No impact. Have it enabled across many customers for years ..
Sent from Cisco Technical Support iPad App
11-22-2013 06:06 AM
The delay is I think 30 seconds. If you have fast ssid change disabled. I too always have this enabled.
Sent from Cisco Technical Support iPhone App
11-22-2013 06:23 AM
Thanks for your replies. I've enabled it now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide