Cisco Wireless causing broadcast storm

I have 3 networks that keep getting broadcast storms.  We run Symantec Endpoint Protection in all 3 sites, and none of the sites are connected whatso ever.  The IP address that it says is the source is the Cisco 4402 Wireless Lightweight Controller in each site.  Here is the error

Denial of Service "IP Fragmentation Overlap" attack detected. Description: An IP Fragmentation Overlap attack exploits IP's packet reassembly feature by creating packet fragments with overlapping offset fields, making it impossible for your system to reassemble the packets properly.

Now, here is a small sample of the packet capture.  The is the WLC.

1758      81.740765      Cisco_68:08:c6      Broadcast      ARP      Who has  Tell
1759      81.742598      Cisco_37:c3:b8      Broadcast      ARP      Who has  Tell
1760      81.743094      LWAPP      CNTL DISCOVERY_REQUEST
1761      81.743273      LWAPP      CNTL DISCOVERY_REQUEST
1762      81.776105      LWAPP      CNTL DISCOVERY_REQUEST
1763      81.77637      Cisco_67:db:46      Broadcast      ARP      Who has  Tell
1764      81.848697      Cisco_67:d9:0e      Broadcast      ARP      Who has  Tell
1765      81.852606      Cisco_67:da:92      Broadcast      ARP      Who has  Tell
1766      81.865914      TCP      4268 > microsoft-ds [ACK] Seq=11355 Ack=2574 Win=64430 Len=0
1767      81.88962      Cisco_67:d9:8e      Broadcast      ARP      Who has  Tell
1768      82.140017      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has  Tell
1769      82.140027      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has  Tell
1770      82.292445      Cisco_67:db:12      Broadcast      ARP      Who has  Tell
1771      82.479477      Cisco_97:67:e0      Broadcast      ARP      Who has  Tell
1772      82.535745      Cisco_67:d9:2a      Broadcast      ARP      Who has  Tell
1773      82.82494      IGMP      V2 Membership Report / Join group
1774      82.824979      IGMP      V2 Membership Report / Join group
1775      82.848188      Cisco_67:d9:0e      Broadcast      ARP      Who has  Tell
1776      82.85212      Cisco_67:da:92      Broadcast      ARP      Who has  Tell
1777      82.899478      Cisco_67:d9:8e      Broadcast      ARP      Who has  Tell
1778      82.941696      Cisco_67:db:74      Broadcast      ARP      Who has  Tell
1779      83.140129      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has  Tell
1780      83.294633      Cisco_67:db:12      Broadcast      ARP      Who has  Tell
1781      83.478581      LWAPP      CNTL DISCOVERY_REQUEST
1782      83.478866      Cisco_97:67:e0      Broadcast      ARP      Who has  Tell
1783      83.535278      LWAPP      CNTL DISCOVERY_REQUEST
1784      83.535617      Cisco_67:d9:2a      Broadcast      ARP      Who has  Tell
1785      83.672661      Cisco_8c:c9:07      Spanning-tree-(for-bridges)_00      STP      Conf. Root = 32768/0/00:14:bf:52:02:c0  Cost = 4  Port = 0x8007
1786      83.848175      Cisco_67:d9:0e      Broadcast      ARP      Who has  Tell
1787      83.851847      LWAPP      CNTL DISCOVERY_REQUEST
1788      83.851946      Cisco_67:da:92      Broadcast      ARP      Who has  Tell
1789      83.89654      Cisco_67:d9:8e      Broadcast      ARP      Who has  Tell
1790      83.935098      Microsof_26:af:c4      Broadcast      ARP      Who has  Tell
1791      83.94086      Cisco_67:db:74      Broadcast      ARP      Who has  Tell
1792      83.949192      Cisco_67:da:94      Broadcast      ARP      Who has  Tell
1793      83.995929      HewlettP_df:2d:da      HP      LLC      U P, func=TEST; SNAP, OUI 0x00805F (Unknown), PID 0x0002
1794      84.268377      Microsof_26:af:c4      Broadcast      ARP      Who has  Tell

Anyone know what the heck is going on with this?
James FryEnterprise Solutions ArchitectAsked:
Who is Participating?
It appears that this problem started with Cisco 4402 release 7.0.98, we have exactly the same problem but... I have MS DHCP to assign permanent addresses to all access points (AP-1252 series), when you re-set an access point from Cisco 4402 it somehow deletes or screws up a reservation of DHCP (running on Windows 2008 R2 x64 server) . Then, according to AP console it tries to request a DHCP address, while server is not assigning one, AP goes into the loop and starts a broadcast storm on the wired network. AP console shows no IP address assigned messages. A workaround is to set all access points to use static IP addresses. Keeping in mind that this problem only occurs when Cisco 4400 is running version 7.0.98 software and DHCP is running on Win 2k8 R2 x64. This issue does not occur on Win 2003 R2 DHCP server though. Looks like it's a problem on the Cisco side and probably a bug in DHCP server too.
Hope this helps,
What sort of switches are you running on the sites? Research the current firmware version running on the switches and see if upgraded version are available
Are you using Layer 2 or Layer 3 for control of the AP's by the WLC?
Looks like the AP's all have to re-broadcast ARP and then register again.
Are the AP's and WLC all in a separate VLAN? Vlan's control broadcasts!
Is Access Points providing functioning as a redudant link between two networks? (this mean: is there a second link between these networks)?

Under normal circumstances, you should provide static IPs to manage your equipment...
Laso, verify that you havent misconfigure an Accesspoint , connecting to another finally causing the loop
James FryEnterprise Solutions ArchitectAuthor Commented:
It seemed to be a problem with the version of firmware, although, I did see it happen with the supposed "fixed" version of firmware as well.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.