Thomas Dukes wrote:

*From:* centos-bounces@centos.org [mailto:centos-bounces@centos.org] *On Behalf Of *chloe K *Sent:* Thursday, November 27, 2008 9:10 PM *To:* CentOS mailing list *Subject:* Re: [CentOS] Neighbour table overflow

what is your netmask?

eth0 = 255.255.240.0

That is 4096 addresses (256*16).

eth1 = 255.255.255.0 lo = 255.0.0.0

lo is correct. The 'whole' net127. Of which 4 addresses have ever been used (that I have encountered)....

These don't look right except for eth1. I have made no changes to these in about 4 years.

Thanks

*/Thomas Dukes tdukes@sc.rr.com/* wrote:

Just started getting this. I tried the following by adding it to my
etc/sysctl.conf:

net.ipv4.neigh.default.gc_thresh1 = 4096
net.ipv4.neigh.default.gc_thresh2 = 8192
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv4.neigh.default.base_reachable_time = 86400
net.ipv4.neigh.default.gc_stale_time = 86400

That pretty much locked things up.

Then I tried another googled solution:

echo 256 > /proc/sys/net/ipv4/neigh/default/gc_thresh1

echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh2

echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

And adding it also to etc/sysctl.conf:

net.ipv4.neigh.default.gc_thresh1 = 256
net.ipv4.neigh.default.gc_thresh2 = 512
net.ipv4.neigh.default.gc_thresh3 = 1024

Still not working.

Any ideas?

TIA


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

*Yahoo! Canada Toolbar :* Search from anywhere on the web and bookmark your favourite sites. Download it now! http://ca.toolbar.yahoo.com/

---

---

CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

---- Robert Moskowitz rgm@htt-consult.com wrote:

Thomas Dukes wrote:

...

*From:* centos-bounces@centos.org [mailto:centos-bounces@centos.org] *On Behalf Of *chloe K *Sent:* Thursday, November 27, 2008 9:10 PM *To:* CentOS mailing list *Subject:* Re: [CentOS] Neighbour table overflow

what is your netmask?

eth0 = 255.255.240.0

Why do you have such a large subnet? There are a number of potential performance problems with such a setup. I typically only see this in large, bridged wireless campuses. Little justification for it in a wired network. (I do have lots of networking experience and knowledge, having consulted with a number of large deployments).

Even with a large subnet, you should not be arping everywhere. Either two things are happening:

Your system is recording every ARP request it sees ('Who has IP x.x.x.x') to avoid arping later. Bad behaviour (IMNSHO), given your network.

Your system is ARPing for every IP address in the subnet to learn all of its neighbors. WHy would it do that? Unless you have some snooping software running on your system.

Hi Robert,

I did not set this value. Something did but not me.

I am on a roadrunner connection with a dynamic ip. What do you suggest I change it to?

Thnaks!!

you have the network /20 so that you got this neigbour overlfow you should subnet it

Robert Moskowitz rgm@htt-consult.com wrote: tdukes@sc.rr.com wrote:

---- Robert Moskowitz wrote:

...

Thomas Dukes wrote:

...

*From:* centos-bounces@centos.org [mailto:centos-bounces@centos.org] *On Behalf Of *chloe K *Sent:* Thursday, November 27, 2008 9:10 PM *To:* CentOS mailing list *Subject:* Re: [CentOS] Neighbour table overflow

what is your netmask?

eth0 = 255.255.240.0

Why do you have such a large subnet? There are a number of potential performance problems with such a setup. I typically only see this in large, bridged wireless campuses. Little justification for it in a wired network. (I do have lots of networking experience and knowledge, having consulted with a number of large deployments).

Even with a large subnet, you should not be arping everywhere. Either two things are happening:

Your system is recording every ARP request it sees ('Who has IP x.x.x.x') to avoid arping later. Bad behaviour (IMNSHO), given your network.

Your system is ARPing for every IP address in the subnet to learn all of its neighbors. WHy would it do that? Unless you have some snooping software running on your system.

Hi Robert,

I did not set this value. Something did but not me.

I am on a roadrunner connection with a dynamic ip. What do you suggest I change it to?

You might not have much control over it if you are using DHCP.

route -n

will supply you with your router address. Once you now that and your assigned IP address (and lease) you can use ifconfig to change your netmask so that your router and you are in the same subnet.

What is the address also of your nameserver (/etc/resolv.conf) and mail server? If these are also within that hugh subnet, your netmask has to keep them 'local'.

Roadrunner.... hmm.

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

---------------------------------

Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now!

_____

From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of chloe K Sent: Friday, November 28, 2008 12:36 PM To: CentOS mailing list Subject: Re: [CentOS] Neighbour table overflow

you have the network /20 so that you got this neigbour overlfow you should subnet it

Hi Chole,

I have no clue as to what that means. :-(

Robert Moskowitz rgm@htt-consult.com wrote:

tdukes@sc.rr.com wrote:

---- Robert Moskowitz wrote:

...

Thomas Dukes wrote:

...

*From:* centos-bounces@centos.org [mailto:centos-bounces@centos.org] *On Behalf Of *chloe K *Sent:* Thursday, November 27, 2008 9:10 PM *To:* CentOS mailing list *Subject:* Re: [CentOS] Neighbour table overflow

what is your netmask?

eth0 = 255.255.240.0

Why do you have such a large subnet? There are a number of potential performance problems with such a setup. I typically only see this in large, bridged wireless campuses. Little justification for it in a wired network. (I do have lots of networking experience and knowledge, having consulted with a number of large deployments).

Even with a large subnet, you should not be arping everywhere. Either two things are happening:

Your system is recording every ARP request it sees ('Who has IP x.x.x.x') to avoid arping later. Bad behaviour (IMNSHO), given your network.

Your system is ARPing for every IP address in the subnet to learn all of its neighbors. WHy would it do that? Unless you have some snooping software running on your system.

Hi Robert,

I did not set this value. Something did but not me.

I am on a roadrunner connection with a dynamic ip. What do you suggest I

change it to? You might not have much control over it if you are using DHCP.

route -n

will supply you with your router address. Once you now that and your assigned IP address (and lease) you can use ifconfig to change your netmask so that your router and you are in the same subnet.

What is the address also of your nameserver (/etc/resolv.conf) and mail server? If these are also within that hugh subnet, your netmask has to keep them 'local'.

Roadrunner.... hmm.

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

_____

http://us.i1.yimg.com/us.yimg.com/i/ca/iotg_search.jpg http://ca.toolbar.yahoo.com/ Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now!

-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John R Pierce Sent: Friday, November 28, 2008 5:14 PM To: CentOS mailing list Subject: Re: [CentOS] Neighbour table overflow

chloe K wrote:

you have the network /20 so that you got this neigbour overlfow you should subnet it

no, no, NO. his eth1 connection is from his ISP. He /has/ to use the supplied netmask, he can't reconfigure their network segment.

now, why is ARP table is overflowing is another issue entirely.

Thomas, can you try this? Do....

arp -an | grep 65.188.0.1

Hi John,

The output from arp -an | grep 65.188.0.1 is:

? (65.188.0.1) at 00:1B:54:CB:7A::05

and pick out the "MAC" address of your gateway router, this will look something like...

? (65.188.0.1) at 00:17:CB:4F:97:81 [ether] on eth1

So, the MAC address above is 00:17:CB:4F:97:81 ... yours definitely will be different.... now,

# tcpdump -i eth1 -n ip host 65.188.xxx.xxx and not ether host 00:17:CB:4F:97:81

(replacing that with your gateway router's MAC address as determined from that ARP command, and xxx.xxx with your eth1 IP address as shown in `ifconfig eth1`)

this will catch all traffic between you and another IP on your ISP local segment thats NOT talking to the gateway router

paste 50 lines or so of the output of this here and maybe we can figure out whats going on.

OK, I think you lost me on that last part. I ran tcpdump -i eth1 -n ip host 65.188.0.1 and got:

Tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

0 packets captred 0 packets received by filter 0 packets dropped by kernel

Thanks!!

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

no. he can subnet it

Typically ISP can assign /20. but client can subnet it

two networks /22 /22

or

16 networks /24

Thank you

John R Pierce pierce@hogranch.com wrote: chloe K wrote:

you have the network /20 so that you got this neigbour overlfow you should subnet it

no, no, NO. his eth1 connection is from his ISP. He /has/ to use the supplied netmask, he can't reconfigure their network segment.

now, why is ARP table is overflowing is another issue entirely.

Thomas, can you try this? Do....

arp -an | grep 65.188.0.1

and pick out the "MAC" address of your gateway router, this will look something like...

? (65.188.0.1) at 00:17:CB:4F:97:81 [ether] on eth1

So, the MAC address above is 00:17:CB:4F:97:81 ... yours definitely will be different.... now,

# tcpdump -i eth1 -n ip host 65.188.xxx.xxx and not ether host 00:17:CB:4F:97:81

(replacing that with your gateway router's MAC address as determined from that ARP command, and xxx.xxx with your eth1 IP address as shown in `ifconfig eth1`)

this will catch all traffic between you and another IP on your ISP local segment thats NOT talking to the gateway router

paste 50 lines or so of the output of this here and maybe we can figure out whats going on.

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

--------------------------------- Instant message from any web browser! Try the new Yahoo! Canada Messenger for the Web BETA

On Mon, Dec 1, 2008 at 3:25 PM, chloe K chloekcy2000@yahoo.ca wrote:

...

John R Pierce pierce@hogranch.com wrote: chloe K wrote:

...

you have the network /20 so that you got this neigbour overlfow you should subnet it

no, no, NO. his eth1 connection is from his ISP. He /has/ to use the supplied netmask, he can't reconfigure their network segment.

no. he can subnet it

Typically ISP can assign /20. but client can subnet it

two networks /22 /22

or

16 networks /24

No, actually he CANNOT subnet it.

First the network segment wasn't assigned to him at all, he is 1 node in the ISP's network segment.

Second the ISP's default gateway is 65.188.0.1 and he can get any IP in that segment, which means if he tries for force segmentation on it he will most likely end up making his default route unreachable.

It is probably the result of a broadcast storm or some type of icmp flood attack on the segment.

Shorten the lifetime of the ARPs in the table for that interface and/or disable ARPs on that interface and set manual ARP entries for the routers.

-Ross

-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Robert Moskowitz Sent: Friday, November 28, 2008 12:20 PM To: CentOS mailing list Subject: Re: [CentOS] Neighbour table overflow

tdukes@sc.rr.com wrote:

---- Robert Moskowitz rgm@htt-consult.com wrote:

...

Thomas Dukes wrote:

...

*From:* centos-bounces@centos.org [mailto:centos-bounces@centos.org] *On Behalf Of *chloe K *Sent:* Thursday, November 27, 2008 9:10 PM *To:* CentOS mailing list *Subject:* Re: [CentOS] Neighbour table overflow

what is your netmask?

eth0 = 255.255.240.0

Why do you have such a large subnet? There are a number of potential performance problems with such a setup. I typically only see this in large, bridged wireless campuses. Little justification for it in a wired network. (I do have lots of networking experience and knowledge, having consulted with a number of large deployments).

Even with a large subnet, you should not be arping everywhere. Either two things are happening:

Your system is recording every ARP request it sees ('Who has IP x.x.x.x') to avoid arping later. Bad behaviour (IMNSHO), given your network.

Your system is ARPing for every IP address in the subnet to learn all of its neighbors. WHy would it do that? Unless you have some snooping software running on your system.

Hi Robert,

I did not set this value. Something did but not me.

I am on a roadrunner connection with a dynamic ip. What do you suggest I

change it to? You might not have much control over it if you are using DHCP.

route -n

Here's the output from route -n:

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 65.188.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 65.188.0.1 0.0.0.0 UG 0 0 0 eth0

will supply you with your router address. Once you now that and your assigned IP address (and lease) you can use ifconfig to change your netmask so that your router and you are in the same subnet.

What is the address also of your nameserver (/etc/resolv.conf) and mail server? If these are also within that hugh subnet, your netmask has to keep them 'local'.

My nameservers are: 24.25.5.149 and 24.25.5.150

Mailservers: 75.180.132.77 and 75.180.132.33

Roadrunner.... hmm.

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Robert Moskowitz Sent: Friday, November 28, 2008 12:28 PM To: CentOS mailing list Subject: Re: [CentOS] Neighbour table overflow

tdukes@sc.rr.com wrote:

---- Robert Moskowitz rgm@htt-consult.com wrote:

...

Thomas Dukes wrote:

...

*From:* centos-bounces@centos.org [mailto:centos-bounces@centos.org] *On Behalf Of *chloe K *Sent:* Thursday, November 27, 2008 9:10 PM *To:* CentOS mailing list *Subject:* Re: [CentOS] Neighbour table overflow

what is your netmask?

eth0 = 255.255.240.0

Why do you have such a large subnet? There are a number of potential performance problems with such a setup. I typically only see this in large, bridged wireless campuses. Little justification for it in a wired network. (I do have lots of networking experience and knowledge, having consulted with a number of large deployments).

Even with a large subnet, you should not be arping everywhere. Either two things are happening:

Your system is recording every ARP request it sees ('Who has IP x.x.x.x') to avoid arping later. Bad behaviour (IMNSHO), given your network.

Your system is ARPing for every IP address in the subnet to learn all of its neighbors. WHy would it do that? Unless you have some snooping software running on your system.

Hi Robert,

I did not set this value. Something did but not me.

I am on a roadrunner connection with a dynamic ip. What do you suggest I

change it to?

If you restart your network services (Does RR use PPPoE?) you should then have an empty ARP table.

How long does it take to overflow? Can you run TCPDUMP and see if you are sending out the ARPs or your system is just building its table based on heard ARP requests?

It takes aout 5 -10 minutes before I see the messages. I don't know you meant by the last question. I ran TCPDUMP and page after page after page of stuff is scrolling.

_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ralph Angenendt Sent: Friday, November 28, 2008 4:41 AM To: centos@centos.org Subject: Re: [CentOS] Neighbour table overflow

Thomas Dukes wrote:

Any ideas?

How many entries do you have in the arp table?

"arp -a | wc -l" should show you. If you really have lots of entries in there you should try to find out the reason for that.

Ralph

When I ran the above, I'm not sure I'm getting a correct response. It takes serval miuntes then returns: Printk: 100 messages suppressed Neighbour table overflow Printk: 15 messages suppressed 3

This looks like the errors except for the '3'.

Thanks

-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Filipe Brandenburger Sent: Friday, November 28, 2008 12:44 PM To: CentOS mailing list Subject: Re: [CentOS] Neighbour table overflow

Hi,

On Fri, Nov 28, 2008 at 07:20, Thomas Dukes tdukes@sc.rr.com wrote:

When I ran the above, I'm not sure I'm getting a correct response. It takes serval miuntes then returns: Printk: 100 messages suppressed Neighbour table overflow Printk: 15 messages suppressed 3

It looks like you have only 3 lines in your arp table, so it's really hard to understand how it would overflow from that.

What does the output of "arp -a" look like?

You can also look at: cat /proc/net/arp

Please post the output of: sysctl -a | grep neigh

Do you have IPv6 enabled?

Filipe

Hi Filipe,

The output from sysctl -a | grep neigh is:

net.ipv6.neigh.eth1.locktime = 0 net.ipv6.neigh.eth1.proxy_delay = 79 net.ipv6.neigh.eth1.anycast_delay = 99 net.ipv6.neigh.eth1.proxy_qlen = 64 net.ipv6.neigh.eth1.unres_qlen = 3 net.ipv6.neigh.eth1.gc_stale_time = 60 net.ipv6.neigh.eth1.delay_first_probe_time = 5 net.ipv6.neigh.eth1.base_reachable_time = 30 net.ipv6.neigh.eth1.retrans_time = 1000 net.ipv6.neigh.eth1.app_solicit = 0 net.ipv6.neigh.eth1.ucast_solicit = 3 net.ipv6.neigh.eth1.mcast_solicit = 3 net.ipv6.neigh.eth0.locktime = 0 net.ipv6.neigh.eth0.proxy_delay = 79 net.ipv6.neigh.eth0.anycast_delay = 99 net.ipv6.neigh.eth0.proxy_qlen = 64 net.ipv6.neigh.eth0.unres_qlen = 3 net.ipv6.neigh.eth0.gc_stale_time = 60 net.ipv6.neigh.eth0.delay_first_probe_time = 5 net.ipv6.neigh.eth0.base_reachable_time = 30 net.ipv6.neigh.eth0.retrans_time = 1000 net.ipv6.neigh.eth0.app_solicit = 0 net.ipv6.neigh.eth0.ucast_solicit = 3 net.ipv6.neigh.eth0.mcast_solicit = 3 net.ipv6.neigh.lo.locktime = 0 net.ipv6.neigh.lo.proxy_delay = 79 net.ipv6.neigh.lo.anycast_delay = 99 net.ipv6.neigh.lo.proxy_qlen = 64 net.ipv6.neigh.lo.unres_qlen = 3 net.ipv6.neigh.lo.gc_stale_time = 60 net.ipv6.neigh.lo.delay_first_probe_time = 5 net.ipv6.neigh.lo.base_reachable_time = 30 net.ipv6.neigh.lo.retrans_time = 1000 net.ipv6.neigh.lo.app_solicit = 0 net.ipv6.neigh.lo.ucast_solicit = 3 net.ipv6.neigh.lo.mcast_solicit = 3 net.ipv6.neigh.default.gc_thresh3 = 1024 net.ipv6.neigh.default.gc_thresh2 = 512 net.ipv6.neigh.default.gc_thresh1 = 128 net.ipv6.neigh.default.gc_interval = 30 net.ipv6.neigh.default.locktime = 0 net.ipv6.neigh.default.proxy_delay = 79 net.ipv6.neigh.default.anycast_delay = 99 net.ipv6.neigh.default.proxy_qlen = 64 net.ipv6.neigh.default.unres_qlen = 3 net.ipv6.neigh.default.gc_stale_time = 60 net.ipv6.neigh.default.delay_first_probe_time = 5 net.ipv6.neigh.default.base_reachable_time = 30 net.ipv6.neigh.default.retrans_time = 1000 net.ipv6.neigh.default.app_solicit = 0 net.ipv6.neigh.default.ucast_solicit = 3 net.ipv6.neigh.default.mcast_solicit = 3 net.ipv4.neigh.eth1.locktime = 99 net.ipv4.neigh.eth1.proxy_delay = 79 net.ipv4.neigh.eth1.anycast_delay = 99 net.ipv4.neigh.eth1.proxy_qlen = 64 net.ipv4.neigh.eth1.unres_qlen = 3 net.ipv4.neigh.eth1.gc_stale_time = 60 net.ipv4.neigh.eth1.delay_first_probe_time = 5 net.ipv4.neigh.eth1.base_reachable_time = 30 net.ipv4.neigh.eth1.retrans_time = 99 net.ipv4.neigh.eth1.app_solicit = 0 net.ipv4.neigh.eth1.ucast_solicit = 3 net.ipv4.neigh.eth1.mcast_solicit = 3 net.ipv4.neigh.eth0.locktime = 99 net.ipv4.neigh.eth0.proxy_delay = 79 net.ipv4.neigh.eth0.anycast_delay = 99 net.ipv4.neigh.eth0.proxy_qlen = 64 net.ipv4.neigh.eth0.unres_qlen = 3 net.ipv4.neigh.eth0.gc_stale_time = 60 net.ipv4.neigh.eth0.delay_first_probe_time = 5 net.ipv4.neigh.eth0.base_reachable_time = 30 net.ipv4.neigh.eth0.retrans_time = 99 net.ipv4.neigh.eth0.app_solicit = 0 net.ipv4.neigh.eth0.ucast_solicit = 3 net.ipv4.neigh.eth0.mcast_solicit = 3 net.ipv4.neigh.lo.locktime = 99 net.ipv4.neigh.lo.proxy_delay = 79 net.ipv4.neigh.lo.anycast_delay = 99 net.ipv4.neigh.lo.proxy_qlen = 64 net.ipv4.neigh.lo.unres_qlen = 3 net.ipv4.neigh.lo.gc_stale_time = 60 net.ipv4.neigh.lo.delay_first_probe_time = 5 net.ipv4.neigh.lo.base_reachable_time = 30 net.ipv4.neigh.lo.retrans_time = 99 net.ipv4.neigh.lo.app_solicit = 0 net.ipv4.neigh.lo.ucast_solicit = 3 net.ipv4.neigh.lo.mcast_solicit = 3 net.ipv4.neigh.default.gc_thresh3 = 1024 net.ipv4.neigh.default.gc_thresh2 = 512 net.ipv4.neigh.default.gc_thresh1 = 256 net.ipv4.neigh.default.gc_interval = 30 net.ipv4.neigh.default.locktime = 99 net.ipv4.neigh.default.proxy_delay = 79 net.ipv4.neigh.default.anycast_delay = 99 net.ipv4.neigh.default.proxy_qlen = 64 net.ipv4.neigh.default.unres_qlen = 3 net.ipv4.neigh.default.gc_stale_time = 60 net.ipv4.neigh.default.delay_first_probe_time = 5 net.ipv4.neigh.default.base_reachable_time = 30 net.ipv4.neigh.default.retrans_time = 99 net.ipv4.neigh.default.app_solicit = 0 net.ipv4.neigh.default.ucast_solicit = 3 net.ipv4.neigh.default.mcast_solicit = 3

Thanks,

Eddie _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos