cancel
Showing results for 
Search instead for 
Did you mean: 

Need help with network issue - ARP Broadcasts

LF1949
I Plan to Stick Around

Hi, I’m looking for a little network help. On the morning of Thursday April 21 before turning on my computer, I noticed the activity light on my Motorola SB5100 modem and the WAN (Internet) light on my Asus router flashing constantly. Checking the Traffic Monitor on the router I could see a 3-5 KB/s of incoming traffic none of which was making it to my computer. This has been happening 24/7 since Thursday.

 

I called Rogers and was told the flashing was normal but my modem (which I own) was very old and it had likely failed. I have a friend on the other side of town with a similar modem, so I asked him to check his and it is doing the same thing.

 

This morning I removed the router and connected my computer directly to the modem. When the computer was boot the modem flashing started again. I ran Wireshark and did a quick capture which showed I was getting 40-50 ARP requests per second.

 

They are all similar to this, each one with different seemingly random IPs:

Source                 Dest           Prot   Size  Info

Casa_91:68:1F  Broadcast  ARP   60     Who has 24.166.173.159? Tell 24.166.172.1

 

I’m wondering if it has anything to do with Roger’s implementation of IPv6. Maybe trying to assign an IPv6 IP to an IPv4 only device.

 

Any help would be appreciated.

 

***Edited Labels***

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Need help with network issue - ARP Broadcasts

@Gdkitty and All;

 

I'm in touch with different support groups and I'll update the Community as more information becomes available. 

 

Gdkitty wrote:

Maybe its that the rogers D3 ones are on an 'exclude' list sort of thing..

 

@Jelllo has CGN3 modem and it is able to see those requests as well. So D3s are not excluded either. It seems like only some of the modems are responding to those requests. 

 

Edited Post : Update

 

The visible ARP broadcasts are due to our network migrating from "Cisco CMTS" to "Casa CMTS". The broadcasts have zero operational impact on the modems. In technical terms, when traffic comes from the Internet destined to a particular modem, we need to find the MAC address for that modem. In Cisco world, the CMTS would ask the DHCP server first for that information. In casa world, the modem's IP is checked first before querying the DHCP server. So these ARP requests would be expected behaviour with the Casa systems.

 

As for the Internet data usage, the traffic which originates or terminates to a specific MAC address is counted as Internet usage. In the case of these ARP requests, the traffic does not originate or is not destined to a customer modem and therefore does not count towards Internet usage.

 

Thanks,

RogersMoin

 

View solution in original post

36 REPLIES 36

Re: Need help with network issue - ARP Broadcasts

RogersMoin
Moderator
Moderator

 

Hello, @LF1949

 

Thank you for very interesting post. Did the Internet work when you've bypassed the router? I mean, were you able to browse the Internet on the PC which was connected directly to the modem?

 

I believe even after the whole Rogers' network becomes IPv6 ready still IPv4 devices will be allocated IPv4 IPs. The 24 dot IP address seems to be from Time Warner Cable, were you downloading some file from them?

 

Thanks,

RogersMoin

Re: Need help with network issue - ARP Broadcasts

LF1949
I Plan to Stick Around

Moin,

 

Yes, I was able to use the Internet with or without the router.

 

No, I was not downloading anything from Time Warner (never have).

 

My initial concern was the was the extra usage. I now have a 4KB/s download overhead 24/7. If you do the simple math that adds up to around 10GB per month (4,000x60x60x24x30). Since I'm on a 60GB of usage plan, I'm not happy if I'm loosing 10GB. My plan was to keep comparing my computer usage (monitored locally) with the numbers on MyRogers, but the data on MyRogers has not been updated since this started.

 

I'll continue to monitor. Remember my friend at the other end of town is experiencing the exact same issue.

 

I'll try to insert an image of a small (less then a second) capture.

Wireshark Capture.jpg

 

 

Re: Need help with network issue - ARP Broadcasts

This might be a case of a bot running somewhere, possibly on the Rogers network itelf.  Did you report this Rogers previously?  If not, and its still running, @RogersMoin should be able to phone the NOC and have them  attempt to track it down as its hitting more than one customer on the Rogers network.  In any event I would probably report this to Tech support, although you would probably have to speak with a Tier 2 tech as I'm not sure that a Tier 1 tech would understand what this is all about.  Have the incident recorded on file.  From there, call customer service, and look to have some statement recorded on file to the effect that your IP address is being bombarded with ARP requests (as indicated by the Tech statement) , which puts you in a position of breaking thru your monthly cap due to no fault of yours.  That will hopefully provide some protection from any additional charges that might arise.



Re: Need help with network issue - ARP Broadcasts

The screen capture shows as if some service is mapping IPv4 IPs and MAC addresses. It could be visible on IPv4 devices.  The image was not approved for security reasons, however, I'll notify the appropriate department. 

 

Thanks,

RogersMoin

 

PS: Thank you @Datalink

Re: Need help with network issue - ARP Broadcasts

My guess would be a bot possibly running on a corrupted router or modem somewhere.  The source address doesn't make sense to me, "Casa_91:68:1F" given that the request is for an IPV4 address.  Maybe someone with better knowledge of IP addressing can figure this out.  @RogersMoin I suspect that you would need @LF1949's IP address in order for the NOC to start tracing this.



Re: Need help with network issue - ARP Broadcasts

LF1949
I Plan to Stick Around

Thank Morin and Datalink,

 

Glad you can see that the issue is not confined the the 24.xxx.xxx.xxx IP.

 

When I contacted Rogers Internet Tech Support on the 21st, I knew I wasn't talking to the right department. Hopefully Moin's contact will be someone who understands the issue.

 

From what I've read they call this an "ARP Broadcast Flood or Storm".

 

Other then the extra overhead, my system is working normally.

Re: Need help with network issue - ARP Broadcasts

LF1949
I Plan to Stick Around

Just a quick follow-up. I got some information from another forum that might make sense. I'm told the CMTS (Cable Modem Termination System) sends out ARP requests but most are usually filtered out. The sourse address of the requests is "Casa_91:68:1F" which made no sense until I discovered Casa Systems is a networking hardware supplier like Cisco and Arris.  My guess now is that when Rogers implmented IPv6 in this area, the CMTS (mayber made by Casa) configuration was changed and they are no longer filtering the ARP requests. 

 

Since I'm on a low usage package (60G) I still am trying to determine if this overhead is being added to my usage. I can monitor my usage at my computer and was planning on confirming it with the MyRogers numbers, but the online usage summary has not been updated since April 20th (5 days). I reported that to Rogers billing this morning who were unaware of any problem. Maybe Morin can look into this as well. 

Re: Need help with network issue - ARP Broadcasts

 

Hello, @LF1949

 

I appreciate you posting the findings, I believe your guess is correct though I'll update the thread once I get the response from the NOC department.

 

As for the usage not getting updated, I can have that investigated for you. I've sent a private message, please check your Inbox, thank you. 

 

Cheers,

RogersMoin

Re: Need help with network issue - ARP Broadcasts

Jelllo
I Plan to Stick Around

You can use wireshark to see the source address. As this issue is also happening with me I found it is coming from 99.250.160.1 Must be some new equipment they installed from http://www.casa-systems.com/product-cable.html

Re: Need help with network issue - ARP Broadcasts

 

Hello, @Jelllo

 

Thank you for joining the discussion. Are you also using a Docsis 2.0 modem? Since when are you seeing those ARP requests?

 

Regards,

RogersMoin

Re: Need help with network issue - ARP Broadcasts

Jelllo
I Plan to Stick Around

I am using the Hitron CGN3. I started noticing them a few days ago.


@RogersMoin wrote:

 

Hello, @Jelllo

 

Thank you for joining the discussion. Are you also using a Docsis 2.0 modem? Since when are you seeing those ARP requests?

 

Regards,

RogersMoin


 

Re: Need help with network issue - ARP Broadcasts

 

@Jelllo, would you, please take a screenshot of these ARP requests and send a PM (private message) to @CommunityHelps with your MAC address. I would have it forward to the team investigating this issue, thank you.

 

Regards,

RogersMoin

Re: Need help with network issue - ARP Broadcasts

Jelllo
I Plan to Stick Around

@RogersMoin wrote:

 

@Jelllo, would you, please take a screenshot of these ARP requests and send a PM (private message) to @CommunityHelps with your MAC address. I would have it forward to the team investigating this issue, thank you.

 

Regards,

RogersMoin


Done

Re: Need help with network issue - ARP Broadcasts

Jelllo
I Plan to Stick Around

Does anyone have an update? I didn't get a response from @CommunityHelps 

Re: Need help with network issue - ARP Broadcasts

LF1949
I Plan to Stick Around

Jelllo,

 

I've been receiving automated phones messages from Rogers regarding a ticket that I thing was raised about this issue. It's like "We're still working on your issue and will keep your informed".

 

Since the MyRogers usage summary in my area has been fixed since April 27th, I've been able to compare my usage with their numbers and it appears this extra traffic is not being counted.  The flashing lights are still very annoying. 

Re: Need help with network issue - ARP Broadcasts

Gdkitty
Resident Expert
Resident Expert

@RogersMoin

 

Perhaps you can help my boss as well.

He is not a ROGERS customer, but on TSI (via cable).

He has called 2-3 times to TSI and they wont seem to do anything.. and dont want to escalate it to rogers.

 

He is getting the exact same thing.  A Casa device, sending up to 50 ARP requests a second to his modem.

 

He is on a D3 Thompson modem i beleive.



Re: Need help with network issue - ARP Broadcasts

LF1949
I Plan to Stick Around

I'm glad to hear it's not just D2 modems. My neighbour in the same building has a D3 and is not getting the ARP flood. My son in another town with a D2 is also not getting them. 

 

I've never tried to do a "Factory Reset" I was affraid the old modem my not recover. Do you think it would make a difference?

 

Re: Need help with network issue - ARP Broadcasts

Gdkitty
Resident Expert
Resident Expert

Hmm.. 

Maybe its that the rogers D3 ones are on an 'exclude' list sort of thing..
And then everything else is getting it?  D2s..  Other providers modems, etc.



Re: Need help with network issue - ARP Broadcasts

@Gdkitty and All;

 

I'm in touch with different support groups and I'll update the Community as more information becomes available. 

 

Gdkitty wrote:

Maybe its that the rogers D3 ones are on an 'exclude' list sort of thing..

 

@Jelllo has CGN3 modem and it is able to see those requests as well. So D3s are not excluded either. It seems like only some of the modems are responding to those requests. 

 

Edited Post : Update

 

The visible ARP broadcasts are due to our network migrating from "Cisco CMTS" to "Casa CMTS". The broadcasts have zero operational impact on the modems. In technical terms, when traffic comes from the Internet destined to a particular modem, we need to find the MAC address for that modem. In Cisco world, the CMTS would ask the DHCP server first for that information. In casa world, the modem's IP is checked first before querying the DHCP server. So these ARP requests would be expected behaviour with the Casa systems.

 

As for the Internet data usage, the traffic which originates or terminates to a specific MAC address is counted as Internet usage. In the case of these ARP requests, the traffic does not originate or is not destined to a customer modem and therefore does not count towards Internet usage.

 

Thanks,

RogersMoin

 

View solution in original post

Re: Need help with network issue - ARP Broadcasts

myusername100
I Plan to Stick Around

hitron network is always on?

 

Got a question about my newish docsis 3 hitron modem.  I think it is the cgn3.

Compared to my previous motorola docsis 2 modem, the hitron network activity icon keeps blinking,  even at night when my pc is off.  Modem is in bridge mode, the wi-fi icon is off, but the network icon keeps blinking, there’s a red light in the back the blinks too.

Sorry if this is a stupid question but what exactly is the hitron doing?  And why is it doing it all the time?