Learn how to a build a cloud-first strategyRegister Now


Cisco Wireless causing broadcast storm

Posted on 2010-08-20
Medium Priority
Last Modified: 2013-12-21
I have 3 networks that keep getting broadcast storms.  We run Symantec Endpoint Protection in all 3 sites, and none of the sites are connected whatso ever.  The IP address that it says is the source is the Cisco 4402 Wireless Lightweight Controller in each site.  Here is the error

Denial of Service "IP Fragmentation Overlap" attack detected. Description: An IP Fragmentation Overlap attack exploits IP's packet reassembly feature by creating packet fragments with overlapping offset fields, making it impossible for your system to reassemble the packets properly.

Now, here is a small sample of the packet capture.  The is the WLC.

1758      81.740765      Cisco_68:08:c6      Broadcast      ARP      Who has  Tell
1759      81.742598      Cisco_37:c3:b8      Broadcast      ARP      Who has  Tell
1760      81.743094      LWAPP      CNTL DISCOVERY_REQUEST
1761      81.743273      LWAPP      CNTL DISCOVERY_REQUEST
1762      81.776105      LWAPP      CNTL DISCOVERY_REQUEST
1763      81.77637      Cisco_67:db:46      Broadcast      ARP      Who has  Tell
1764      81.848697      Cisco_67:d9:0e      Broadcast      ARP      Who has  Tell
1765      81.852606      Cisco_67:da:92      Broadcast      ARP      Who has  Tell
1766      81.865914      TCP      4268 > microsoft-ds [ACK] Seq=11355 Ack=2574 Win=64430 Len=0
1767      81.88962      Cisco_67:d9:8e      Broadcast      ARP      Who has  Tell
1768      82.140017      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has  Tell
1769      82.140027      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has  Tell
1770      82.292445      Cisco_67:db:12      Broadcast      ARP      Who has  Tell
1771      82.479477      Cisco_97:67:e0      Broadcast      ARP      Who has  Tell
1772      82.535745      Cisco_67:d9:2a      Broadcast      ARP      Who has  Tell
1773      82.82494      IGMP      V2 Membership Report / Join group
1774      82.824979      IGMP      V2 Membership Report / Join group
1775      82.848188      Cisco_67:d9:0e      Broadcast      ARP      Who has  Tell
1776      82.85212      Cisco_67:da:92      Broadcast      ARP      Who has  Tell
1777      82.899478      Cisco_67:d9:8e      Broadcast      ARP      Who has  Tell
1778      82.941696      Cisco_67:db:74      Broadcast      ARP      Who has  Tell
1779      83.140129      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has  Tell
1780      83.294633      Cisco_67:db:12      Broadcast      ARP      Who has  Tell
1781      83.478581      LWAPP      CNTL DISCOVERY_REQUEST
1782      83.478866      Cisco_97:67:e0      Broadcast      ARP      Who has  Tell
1783      83.535278      LWAPP      CNTL DISCOVERY_REQUEST
1784      83.535617      Cisco_67:d9:2a      Broadcast      ARP      Who has  Tell
1785      83.672661      Cisco_8c:c9:07      Spanning-tree-(for-bridges)_00      STP      Conf. Root = 32768/0/00:14:bf:52:02:c0  Cost = 4  Port = 0x8007
1786      83.848175      Cisco_67:d9:0e      Broadcast      ARP      Who has  Tell
1787      83.851847      LWAPP      CNTL DISCOVERY_REQUEST
1788      83.851946      Cisco_67:da:92      Broadcast      ARP      Who has  Tell
1789      83.89654      Cisco_67:d9:8e      Broadcast      ARP      Who has  Tell
1790      83.935098      Microsof_26:af:c4      Broadcast      ARP      Who has  Tell
1791      83.94086      Cisco_67:db:74      Broadcast      ARP      Who has  Tell
1792      83.949192      Cisco_67:da:94      Broadcast      ARP      Who has  Tell
1793      83.995929      HewlettP_df:2d:da      HP      LLC      U P, func=TEST; SNAP, OUI 0x00805F (Unknown), PID 0x0002
1794      84.268377      Microsof_26:af:c4      Broadcast      ARP      Who has  Tell

Anyone know what the heck is going on with this?
Question by:jfry2k

Expert Comment

ID: 33495187
What sort of switches are you running on the sites? Research the current firmware version running on the switches and see if upgraded version are available
LVL 79

Expert Comment

ID: 33496199
Are you using Layer 2 or Layer 3 for control of the AP's by the WLC?
Looks like the AP's all have to re-broadcast ARP and then register again.
Are the AP's and WLC all in a separate VLAN? Vlan's control broadcasts!

Accepted Solution

ipekshev earned 1500 total points
ID: 33498207
It appears that this problem started with Cisco 4402 release 7.0.98, we have exactly the same problem but... I have MS DHCP to assign permanent addresses to all access points (AP-1252 series), when you re-set an access point from Cisco 4402 it somehow deletes or screws up a reservation of DHCP (running on Windows 2008 R2 x64 server) . Then, according to AP console it tries to request a DHCP address, while server is not assigning one, AP goes into the loop and starts a broadcast storm on the wired network. AP console shows no IP address assigned messages. A workaround is to set all access points to use static IP addresses. Keeping in mind that this problem only occurs when Cisco 4400 is running version 7.0.98 software and DHCP is running on Win 2k8 R2 x64. This issue does not occur on Win 2003 R2 DHCP server though. Looks like it's a problem on the Cisco side and probably a bug in DHCP server too.
Hope this helps,
LVL 10

Expert Comment

ID: 33499482
Is Access Points providing functioning as a redudant link between two networks? (this mean: is there a second link between these networks)?

Under normal circumstances, you should provide static IPs to manage your equipment...
Laso, verify that you havent misconfigure an Accesspoint , connecting to another finally causing the loop

Author Closing Comment

ID: 35802471
It seemed to be a problem with the version of firmware, although, I did see it happen with the supposed "fixed" version of firmware as well.

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hopefully this article will help someone who's had the same issues I had. I have a Dell Wireless 1390 WLAN Mini-Card and Windows 7, and for the past couple of days I was beyond frustrated because my wireless laptop was not able to access the Inte…
Multi-source agreements are important because they set standards that all manufacturers should follow to ensure that devices are compatible with multiple vendors. The multi-source agreement (MSA) is an agreement that establishes how multiple vendors…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question