Solved

Cisco Wireless causing broadcast storm

Posted on 2010-08-20
5
2,204 Views
Last Modified: 2013-12-21
I have 3 networks that keep getting broadcast storms.  We run Symantec Endpoint Protection in all 3 sites, and none of the sites are connected whatso ever.  The IP address that it says is the source is the Cisco 4402 Wireless Lightweight Controller in each site.  Here is the error

Denial of Service "IP Fragmentation Overlap" attack detected. Description: An IP Fragmentation Overlap attack exploits IP's packet reassembly feature by creating packet fragments with overlapping offset fields, making it impossible for your system to reassemble the packets properly.

Now, here is a small sample of the packet capture.  The 172.20.99.100 is the WLC.

1758      81.740765      Cisco_68:08:c6      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.96.85
1759      81.742598      Cisco_37:c3:b8      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.96.139
1760      81.743094      172.20.96.85      255.255.255.255      LWAPP      CNTL DISCOVERY_REQUEST
1761      81.743273      172.20.96.139      255.255.255.255      LWAPP      CNTL DISCOVERY_REQUEST
1762      81.776105      172.20.99.236      255.255.255.255      LWAPP      CNTL DISCOVERY_REQUEST
1763      81.77637      Cisco_67:db:46      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.236
1764      81.848697      Cisco_67:d9:0e      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.233
1765      81.852606      Cisco_67:da:92      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.235
1766      81.865914      172.20.99.183      172.20.98.68      TCP      4268 > microsoft-ds [ACK] Seq=11355 Ack=2574 Win=64430 Len=0
1767      81.88962      Cisco_67:d9:8e      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.240
1768      82.140017      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has 172.20.96.254?  Tell 172.20.96.69
1769      82.140027      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has 172.20.97.10?  Tell 172.20.96.69
1770      82.292445      Cisco_67:db:12      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.96.77
1771      82.479477      Cisco_97:67:e0      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.96.75
1772      82.535745      Cisco_67:d9:2a      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.234
1773      82.82494      172.20.99.183      239.255.255.250      IGMP      V2 Membership Report / Join group 239.255.255.250
1774      82.824979      172.20.99.183      224.0.0.251      IGMP      V2 Membership Report / Join group 224.0.0.251
1775      82.848188      Cisco_67:d9:0e      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.233
1776      82.85212      Cisco_67:da:92      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.235
1777      82.899478      Cisco_67:d9:8e      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.240
1778      82.941696      Cisco_67:db:74      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.239
1779      83.140129      a4:ba:db:f9:fc:96      Broadcast      ARP      Who has 172.20.97.10?  Tell 172.20.96.69
1780      83.294633      Cisco_67:db:12      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.96.77
1781      83.478581      172.20.96.75      255.255.255.255      LWAPP      CNTL DISCOVERY_REQUEST
1782      83.478866      Cisco_97:67:e0      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.96.75
1783      83.535278      172.20.99.234      255.255.255.255      LWAPP      CNTL DISCOVERY_REQUEST
1784      83.535617      Cisco_67:d9:2a      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.234
1785      83.672661      Cisco_8c:c9:07      Spanning-tree-(for-bridges)_00      STP      Conf. Root = 32768/0/00:14:bf:52:02:c0  Cost = 4  Port = 0x8007
1786      83.848175      Cisco_67:d9:0e      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.233
1787      83.851847      172.20.99.235      255.255.255.255      LWAPP      CNTL DISCOVERY_REQUEST
1788      83.851946      Cisco_67:da:92      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.235
1789      83.89654      Cisco_67:d9:8e      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.240
1790      83.935098      Microsof_26:af:c4      Broadcast      ARP      Who has 172.20.99.207?  Tell 172.20.98.70
1791      83.94086      Cisco_67:db:74      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.239
1792      83.949192      Cisco_67:da:94      Broadcast      ARP      Who has 172.20.99.100?  Tell 172.20.99.241
1793      83.995929      HewlettP_df:2d:da      HP      LLC      U P, func=TEST; SNAP, OUI 0x00805F (Unknown), PID 0x0002
1794      84.268377      Microsof_26:af:c4      Broadcast      ARP      Who has 172.20.98.83?  Tell 172.20.98.70

Anyone know what the heck is going on with this?
0
Comment
Question by:jfry2k
5 Comments
 
LVL 2

Expert Comment

by:maestromasada
ID: 33495187
What sort of switches are you running on the sites? Research the current firmware version running on the switches and see if upgraded version are available
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33496199
Are you using Layer 2 or Layer 3 for control of the AP's by the WLC?
Looks like the AP's all have to re-broadcast ARP and then register again.
Are the AP's and WLC all in a separate VLAN? Vlan's control broadcasts!
0
 

Accepted Solution

by:
ipekshev earned 500 total points
ID: 33498207
It appears that this problem started with Cisco 4402 release 7.0.98, we have exactly the same problem but... I have MS DHCP to assign permanent addresses to all access points (AP-1252 series), when you re-set an access point from Cisco 4402 it somehow deletes or screws up a reservation of DHCP (running on Windows 2008 R2 x64 server) . Then, according to AP console it tries to request a DHCP address, while server is not assigning one, AP goes into the loop and starts a broadcast storm on the wired network. AP console shows no IP address assigned messages. A workaround is to set all access points to use static IP addresses. Keeping in mind that this problem only occurs when Cisco 4400 is running version 7.0.98 software and DHCP is running on Win 2k8 R2 x64. This issue does not occur on Win 2003 R2 DHCP server though. Looks like it's a problem on the Cisco side and probably a bug in DHCP server too.
 
Hope this helps,
ilya
0
 
LVL 10

Expert Comment

by:ampranti
ID: 33499482
Is Access Points providing functioning as a redudant link between two networks? (this mean: is there a second link between these networks)?

Under normal circumstances, you should provide static IPs to manage your equipment...
Laso, verify that you havent misconfigure an Accesspoint , connecting to another finally causing the loop
0
 

Author Closing Comment

by:jfry2k
ID: 35802471
It seemed to be a problem with the version of firmware, although, I did see it happen with the supposed "fixed" version of firmware as well.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Hopefully this article will help someone who's had the same issues I had. I have a Dell Wireless 1390 WLAN Mini-Card and Windows 7, and for the past couple of days I was beyond frustrated because my wireless laptop was not able to access the Inte…
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now