This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 not replying to access point ARP requests

Hello,

I'm experiencing some interesting behaviour that I don't quite understand. It seems the UTM will reply to some ARP requests but not all. This is all on the same subnet.

Problem: Access Points are constantly sending out ARP requests for their gateway (192.168.23.254) and never receiving replies.

Device: Sophos SG105w UTM

Firmware: 9.509-3

Topology:

Note: This is a simplified version of the network -- there are actually 5 access points and a few more devices, but I think this is enough to outline the issue.

 

Scenario: The workstation can ARP for the gateway and receive a reply. The Unifi Access point, however, never does. They are both on the same Subnet.

I ran Wireshark to compare the two ARPs.


Workstation (CentOS 7.4) ARP: Frame 1117: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0

Ubiquiti ARP: Frame 1064: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0

 

The Ubiquiti ARP is bigger, with the following fields showing as different in Wireshark:

[Protocols in frame: eth:arp:vssmonitoring]

Padding: 000000000000000000000000000000000000

 

I have absolutely no idea what the vssmonitoring protocol is -- there are no VSS products in our network.

The other devices on the subnet DO reply to the Ubiquiti ARP requests -- it just seems the UTM never does.

Note: The network is functioning as expected. Wireless clients can connect and browse the internet etc. as normal.

There are these constant ARP Broadcasts on the subnet from every AP.

 

Anybody have some ideas?

 



This thread was automatically locked due to age.
Parents
  • Did you run a tcpdump on the UTM's interface to see if the traffic reaches it?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    No I had not! That's a great suggestion.

    When I ran 'tcpdump -i eth0 -v arp', the UTM is receiving the ARP requests and more importantly, it is replying. However, the workstation never sees these replies (and I'm guessing neither do the access points or they wouldn't be constantly ARPing).

    Interestingly, and this probably has nothing to do with the issue, but the tcpdump resolved it's own hostname in the output instead of 192.168.23.254.

    09:35:25.783918 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has sophos-wifi-utm-1 (Broadcast) tell 192.168.23.13, length 46
    09:35:25.783943 ARP, Ethernet (len 6), IPv4 (len 4), Reply sophos-wifi-utm-1 is-at 00:1a:8c:XX:XX:XX (oui Unknown), length 28

    This leads me to believe it might be something with the Cisco SG300 switch.

    Thanks for pointing me in the right direction! I'll keep investigating.

Reply
  • Hey Bob,

    No I had not! That's a great suggestion.

    When I ran 'tcpdump -i eth0 -v arp', the UTM is receiving the ARP requests and more importantly, it is replying. However, the workstation never sees these replies (and I'm guessing neither do the access points or they wouldn't be constantly ARPing).

    Interestingly, and this probably has nothing to do with the issue, but the tcpdump resolved it's own hostname in the output instead of 192.168.23.254.

    09:35:25.783918 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has sophos-wifi-utm-1 (Broadcast) tell 192.168.23.13, length 46
    09:35:25.783943 ARP, Ethernet (len 6), IPv4 (len 4), Reply sophos-wifi-utm-1 is-at 00:1a:8c:XX:XX:XX (oui Unknown), length 28

    This leads me to believe it might be something with the Cisco SG300 switch.

    Thanks for pointing me in the right direction! I'll keep investigating.

Children
No Data