2.7. ARP

Home Prev	cOS Core 15.00.01 Log Reference Guide	Next

2.7.1. unsolicited_reply_drop (ID: 00300001)

Default Severity: NOTICE
Log Message: Unsolicited ARP reply received and dropped
Explanation: An ARP reply was received even though no reply was currently expected for this IP.
Firewall Action: None
Recommended Action: If this is not the wanted behavior, change the setting UnsolicitedARPReplies.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.2. no_sender_ip (ID: 00300002)

Default Severity: NOTICE
Log Message: ARP query sender IP is 0.0.0.0
Explanation: The source IP-address of an ARP query is 0.0.0.0. Allowing.
Firewall Action: allow
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.3. no_sender_ip (ID: 00300003)

Default Severity: NOTICE
Log Message: ARP query sender IP is 0.0.0.0. Dropping
Explanation: The source IP-address of an ARP query is 0.0.0.0. Dropping packet.
Firewall Action: drop
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.4. arp_response_broadcast (ID: 00300004)

Default Severity: NOTICE
Log Message: ARP response is a broadcast address
Explanation: The ARP response has a sender address which is a broadcast address. Allowing.
Firewall Action: allow
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.5. arp_response_multicast (ID: 00300005)

Default Severity: NOTICE
Log Message: ARP response is a multicast address
Explanation: The ARP response has a sender address which is a multicast address. This might be the case if there are load balancing network equipment in the network. Allowing.
Firewall Action: allow
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.6. mismatching_hwaddrs (ID: 00300006)

Default Severity: NOTICE
Log Message: ARP hw sender does not match Ethernet hw sender
Explanation: The hardware sender address specified in the ARP data does not match the Ethernet hardware sender address. Allowing.
Firewall Action: allow
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.7. mismatching_hwaddrs_drop (ID: 00300007)

Default Severity: NOTICE
Log Message: ARP hw sender does not match Ethernet hw sender. Dropping
Explanation: The hardware sender address specified in the ARP data does not match the Ethernet hardware sender address. Dropping packet.
Firewall Action: drop
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.8. hwaddr_change (ID: 00300008)

Default Severity: NOTICE
Log Message: <knownip> has a different address <newhw> compared to the known hardware address <knownhw>. Allow packet for further processing.
Explanation: A known dynamic ARP entry has a different hardware address than the one in the ARP packet. Allowing packet for further processing.
Firewall Action: allow_processing
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Parameters: knownip
knownhw
newhw
Context Parameters: Rule Name
Packet Buffer

2.7.9. arp_resolution_failed (ID: 00300009)

Default Severity: WARNING
Log Message: ARP resolution failed
Explanation: ARP query was not resolved before the ARP cache entry expired.
Firewall Action: remove_entry
Recommended Action: None
Revision: 1
Parameters: ipaddr
iface

2.7.10. unsolicited_reply_accept (ID: 00300010)

Default Severity: NOTICE
Log Message: Unsolicited ARP reply received and accepted
Explanation: An ARP reply was received even though no reply was currently expected for this IP.
Firewall Action: None
Recommended Action: If this is not the wanted behavior, change the setting UnsolicitedARPReplies.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.11. arp_resolution_success (ID: 00300020)

Default Severity: NOTICE
Log Message: ARP entry was added to the ARP cache.
Explanation: ARP entry was added to the ARP cache.
Firewall Action: added_entry
Recommended Action: None
Revision: 1
Parameters: enetaddr
ipaddr
iface

2.7.12. arp_cache_size_limit_reached (ID: 00300030)

Default Severity: NOTICE
Log Message: ARP cache size limit reached
Explanation: The ARP cache size limit has been reached. Current license limit is [limit].
Firewall Action: None
Recommended Action: Update your license to allow a greater amount of concurrent ARP entries.
Revision: 1
Parameters: limit

2.7.13. invalid_arp_sender_ip_address (ID: 00300049)

Default Severity: WARNING
Log Message: Failed to verify ARP sender IP address. Dropping
Explanation: The ARP sender IP address could not be verified according to the "access" section and the packet is dropped.
Firewall Action: drop
Recommended Action: If all ARP sender IP addresses should be accepted without validation, modify the configuration.
Revision: 2
Context Parameters: Rule Name
Packet Buffer

2.7.14. arp_access_allowed_expect (ID: 00300050)

Default Severity: NOTICE
Log Message: Allowed by expect rule in access section
Explanation: The ARP sender IP address is verified by an expect rule in the access section.
Firewall Action: access_allow
Recommended Action: None
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.15. impossible_hw_address (ID: 00300051)

Default Severity: NOTICE
Log Message: Impossible hardware address 0000:0000:0000 in ARP response. Dropping
Explanation: The ARP response has sender hardware address 0000:0000:0000, which is illegal. Dropping packet.
Firewall Action: drop
Recommended Action: Verify that no fault network equipment exists.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.16. arp_response_broadcast_drop (ID: 00300052)

Default Severity: WARNING
Log Message: ARP response is a broadcast address. Dropping
Explanation: The ARP response has a sender address which is a broadcast address. Dropping packet.
Firewall Action: drop
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.17. arp_response_multicast_drop (ID: 00300053)

Default Severity: NOTICE
Log Message: ARP response is a multicast address. Dropping
Explanation: The ARP response has a sender address which is a multicast address. This might be the case if there are load balancing network equipment in the network. Dropping packet.
Firewall Action: drop
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.7.18. arp_collides_with_static (ID: 00300054)

Default Severity: WARNING
Log Message: Known entry is <knowntype> <knownip>=<knownhw>. Dropping
Explanation: The hardware sender address does not match the static entry in the ARP table. Static ARP changes are not allowed. Dropping packet.
Firewall Action: drop
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Parameters: reason
knowntype
knownip
knownhw
Context Parameters: Rule Name
Packet Buffer

2.7.19. hwaddr_change_drop (ID: 00300055)

Default Severity: NOTICE
Log Message: <knownip> has a different address <newhw> compared to the known hardware address <knownhw>. Dropping packet.
Explanation: A known dynamic ARP entry has a different hardware address than the one in the ARP packet. Dropping packet.
Firewall Action: drop
Recommended Action: If this is not the desired behaviour, modify the configuration.
Revision: 1
Parameters: knownip
knownhw
newhw
Context Parameters: Rule Name
Packet Buffer