James Fry
asked on
Cisco Wireless causing broadcast storm
I have 3 networks that keep getting broadcast storms. We run Symantec Endpoint Protection in all 3 sites, and none of the sites are connected whatso ever. The IP address that it says is the source is the Cisco 4402 Wireless Lightweight Controller in each site. Here is the error
Denial of Service "IP Fragmentation Overlap" attack detected. Description: An IP Fragmentation Overlap attack exploits IP's packet reassembly feature by creating packet fragments with overlapping offset fields, making it impossible for your system to reassemble the packets properly.
Now, here is a small sample of the packet capture. The 172.20.99.100 is the WLC.
1758 81.740765 Cisco_68:08:c6 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.85
1759 81.742598 Cisco_37:c3:b8 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.139
1760 81.743094 172.20.96.85 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1761 81.743273 172.20.96.139 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1762 81.776105 172.20.99.236 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1763 81.77637 Cisco_67:db:46 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.236
1764 81.848697 Cisco_67:d9:0e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.233
1765 81.852606 Cisco_67:da:92 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.235
1766 81.865914 172.20.99.183 172.20.98.68 TCP 4268 > microsoft-ds [ACK] Seq=11355 Ack=2574 Win=64430 Len=0
1767 81.88962 Cisco_67:d9:8e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.240
1768 82.140017 a4:ba:db:f9:fc:96 Broadcast ARP Who has 172.20.96.254? Tell 172.20.96.69
1769 82.140027 a4:ba:db:f9:fc:96 Broadcast ARP Who has 172.20.97.10? Tell 172.20.96.69
1770 82.292445 Cisco_67:db:12 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.77
1771 82.479477 Cisco_97:67:e0 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.75
1772 82.535745 Cisco_67:d9:2a Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.234
1773 82.82494 172.20.99.183 239.255.255.250 IGMP V2 Membership Report / Join group 239.255.255.250
1774 82.824979 172.20.99.183 224.0.0.251 IGMP V2 Membership Report / Join group 224.0.0.251
1775 82.848188 Cisco_67:d9:0e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.233
1776 82.85212 Cisco_67:da:92 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.235
1777 82.899478 Cisco_67:d9:8e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.240
1778 82.941696 Cisco_67:db:74 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.239
1779 83.140129 a4:ba:db:f9:fc:96 Broadcast ARP Who has 172.20.97.10? Tell 172.20.96.69
1780 83.294633 Cisco_67:db:12 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.77
1781 83.478581 172.20.96.75 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1782 83.478866 Cisco_97:67:e0 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.75
1783 83.535278 172.20.99.234 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1784 83.535617 Cisco_67:d9:2a Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.234
1785 83.672661 Cisco_8c:c9:07 Spanning-tree-(for-bridges
1786 83.848175 Cisco_67:d9:0e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.233
1787 83.851847 172.20.99.235 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1788 83.851946 Cisco_67:da:92 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.235
1789 83.89654 Cisco_67:d9:8e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.240
1790 83.935098 Microsof_26:af:c4 Broadcast ARP Who has 172.20.99.207? Tell 172.20.98.70
1791 83.94086 Cisco_67:db:74 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.239
1792 83.949192 Cisco_67:da:94 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.241
1793 83.995929 HewlettP_df:2d:da HP LLC U P, func=TEST; SNAP, OUI 0x00805F (Unknown), PID 0x0002
1794 84.268377 Microsof_26:af:c4 Broadcast ARP Who has 172.20.98.83? Tell 172.20.98.70
Anyone know what the heck is going on with this?
Denial of Service "IP Fragmentation Overlap" attack detected. Description: An IP Fragmentation Overlap attack exploits IP's packet reassembly feature by creating packet fragments with overlapping offset fields, making it impossible for your system to reassemble the packets properly.
Now, here is a small sample of the packet capture. The 172.20.99.100 is the WLC.
1758 81.740765 Cisco_68:08:c6 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.85
1759 81.742598 Cisco_37:c3:b8 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.139
1760 81.743094 172.20.96.85 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1761 81.743273 172.20.96.139 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1762 81.776105 172.20.99.236 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1763 81.77637 Cisco_67:db:46 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.236
1764 81.848697 Cisco_67:d9:0e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.233
1765 81.852606 Cisco_67:da:92 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.235
1766 81.865914 172.20.99.183 172.20.98.68 TCP 4268 > microsoft-ds [ACK] Seq=11355 Ack=2574 Win=64430 Len=0
1767 81.88962 Cisco_67:d9:8e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.240
1768 82.140017 a4:ba:db:f9:fc:96 Broadcast ARP Who has 172.20.96.254? Tell 172.20.96.69
1769 82.140027 a4:ba:db:f9:fc:96 Broadcast ARP Who has 172.20.97.10? Tell 172.20.96.69
1770 82.292445 Cisco_67:db:12 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.77
1771 82.479477 Cisco_97:67:e0 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.75
1772 82.535745 Cisco_67:d9:2a Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.234
1773 82.82494 172.20.99.183 239.255.255.250 IGMP V2 Membership Report / Join group 239.255.255.250
1774 82.824979 172.20.99.183 224.0.0.251 IGMP V2 Membership Report / Join group 224.0.0.251
1775 82.848188 Cisco_67:d9:0e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.233
1776 82.85212 Cisco_67:da:92 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.235
1777 82.899478 Cisco_67:d9:8e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.240
1778 82.941696 Cisco_67:db:74 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.239
1779 83.140129 a4:ba:db:f9:fc:96 Broadcast ARP Who has 172.20.97.10? Tell 172.20.96.69
1780 83.294633 Cisco_67:db:12 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.77
1781 83.478581 172.20.96.75 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1782 83.478866 Cisco_97:67:e0 Broadcast ARP Who has 172.20.99.100? Tell 172.20.96.75
1783 83.535278 172.20.99.234 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1784 83.535617 Cisco_67:d9:2a Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.234
1785 83.672661 Cisco_8c:c9:07 Spanning-tree-(for-bridges
1786 83.848175 Cisco_67:d9:0e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.233
1787 83.851847 172.20.99.235 255.255.255.255 LWAPP CNTL DISCOVERY_REQUEST
1788 83.851946 Cisco_67:da:92 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.235
1789 83.89654 Cisco_67:d9:8e Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.240
1790 83.935098 Microsof_26:af:c4 Broadcast ARP Who has 172.20.99.207? Tell 172.20.98.70
1791 83.94086 Cisco_67:db:74 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.239
1792 83.949192 Cisco_67:da:94 Broadcast ARP Who has 172.20.99.100? Tell 172.20.99.241
1793 83.995929 HewlettP_df:2d:da HP LLC U P, func=TEST; SNAP, OUI 0x00805F (Unknown), PID 0x0002
1794 84.268377 Microsof_26:af:c4 Broadcast ARP Who has 172.20.98.83? Tell 172.20.98.70
Anyone know what the heck is going on with this?
maestromasada
What sort of switches are you running on the sites? Research the current firmware version running on the switches and see if upgraded version are available
Are you using Layer 2 or Layer 3 for control of the AP's by the WLC?
Looks like the AP's all have to re-broadcast ARP and then register again.
Are the AP's and WLC all in a separate VLAN? Vlan's control broadcasts!
Looks like the AP's all have to re-broadcast ARP and then register again.
Are the AP's and WLC all in a separate VLAN? Vlan's control broadcasts!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is Access Points providing functioning as a redudant link between two networks? (this mean: is there a second link between these networks)?
Under normal circumstances, you should provide static IPs to manage your equipment...
Laso, verify that you havent misconfigure an Accesspoint , connecting to another finally causing the loop
Under normal circumstances, you should provide static IPs to manage your equipment...
Laso, verify that you havent misconfigure an Accesspoint , connecting to another finally causing the loop
ASKER
It seemed to be a problem with the version of firmware, although, I did see it happen with the supposed "fixed" version of firmware as well.