[lug] Linux boxes drop off the net? Router problem?

Tue Feb 6 13:07:02 MST 2001

On Tue, Feb 06, 2001 at 12:39:47PM -0700, Gary Frerking (TurboPower) wrote:
> >> Ok we're one step closer.  I'm assuming you are using dumb hubs.
> (unmanaged) <<
> 
> Correct.
> 
> >> Some routers/switches use the ARP protocol to keep track of machines
> attached to them.  I'm curious if perhaps the linux boxes are not responding
> to ARP messages, which is causing them to drop of the network. Switches hubs
> ARE intelligent enough to add an entry into their ARP table when they see a
> packet coming from a machine attached to them. (This would explain why the
> machine shows back up after a ping out from it) <<
> 
> I definitely think you're on the right track.
> 
> >> You mentioned that you had several security packages installed on all of
> the linux machines. Perhaps one of them is filtering ARP messages? <<
> 
> Hmmm...

Hmm, too. ARP is 'under' the packet layer and shouldn't be touched by
packet filters. Anyway, in 'normal' circumstances ARP isn't 'routed',
after all, this is the protocol used to detect _hardware_ adresses.
There's not much use of the MAC adresse unless you are atached to the
same ethernet bus.

> ARP is handled by the kernel, isn't it?
> 
> I'm asking to make sure I didn't turn off a daemon or something that handles
> it. I have ArpWatch turned off, for example, but I'm pretty sure that's
> okay.
> 
> Is there some sort of ARP client that I could use from a Linux or Solaris
> box to query another and see if/how it responds?

arp. 'arp -anv' will show you the content of the arp cache.

> Okay, here's some more [potentially very relevent] info: when I verified
> with our SysAdmin that our hubs were unmanaged hubs (and explained why I was
> asking) he "happened to mention" that he turned off a bunch of features on
> the router some time ago (probably at least a year ago) -- he described the
> features to me as "RIP this and ARP that" -- he said he had to turn them off
> to resolve some other sort of misrouting issue with our ISP.
> 
> Is it possible that he turned off one feature too many, and now the router
> *isn't* using ARP to check for connected machines? Windows machines are
> obviously noisy enough on the network to keep the router informed of where
> they are without ARP. Linux boxes are quiet enough when they're not doing
> something that they could be missed, I suppose.

If ARP doesn't work your ethernet is dead. Network packets are sent to
another box by means of hardware adresses, everything else sits on top
of that. The simple (too simplw?) rule is: to be able to deliver a 
network packet to somewhere the kernel must either know the/a correspnding
hardware adress for the IP _or_ know whom to hand over the packet (i.e. have
a gateway). If the kernel doesn't have the hw. address he just hands the
whole packet to the gateway (by sendig it to the hardware address of the
gateway).

> Our SysAdmin is pretty good in many respects, but I think he'd be the first
> to say that he falls short of the "guru level" in some areas -- Linux is
> definitely one of them, and I don't think he knows everything there is to

Who would ...

BTW, is it possible that some of your boxes are misconfigured? I have 
seen similar phaenomena in a network where two boxes happened to have
the same hardware address (yes, thatr _is_ possible). Some intelligent
route inbetween got really confused. Similar things happen if two boxes
share the same IP address. Or does the IP address of your gateway change
sometimes? Or even worse: do two gateways share the same IP address?
The kernel keeps a cache of the hardware addresses it has seen recently,
if the kernel thinks the hardware addresss of box A is xx:xx:xx:xx:xx:xx
when in reality it changed then it keeps sending the IP addresses to the
wrong hardware address. 

 Ralf