Web Development optimize

Look to the ARP Cache when troubleshooting flaky connectivity issues

James Wright shows how the ARP Cache, now called the Neighbor Cache in Windows Server 2008, can often be the key in troubleshooting any inconsistent connectivity issues.

In today's post we are going to talk about managing the ARP Cache on Windows Server 2008. In the newest version of Microsoft's Server OS the ARP Cache is now called the Neighbor Cache, and though it operates a little differently than in previous versions of Server, it still provides the same basic functionality. Next, we should briefly go over what ARP is and why it is important.

ARP (Address Resolution Protocol) is the portion of the TCP/IP Stack that maps IP Addresses to MAC Addresses. It is like the Yin to DNS' Yang, if you will. When a system call is made to a DNS Hostname, the request is first passed through DNS to get the IP Address for the Hostname. Then the IP Address is passed thru the local ARP Cache to get the MAC Address for the device. If the ARP mapping cannot be resolved locally, an ARP Request is sent out. Layer 3 Switches and Routers store their own ARP Caches and are managed separately.

What are some clues that you may have a corrupt or incorrect entry in the Neighbor Cache? Inconsistent ICMP Request responses for connectivity and "Web Site cannot be displayed" errors for a particular site when you know this site is up and running. Basically, the Neighbor cache should be a suspect with any inconsistent connectivity issue to a system that is known to be up and running, when the DNS Records have been confirmed to be correct.

The ARP Cache (Neighbor Cache) can contain two basic types of entries; Permanent entries (Static entries), and Dynamic entries. Dynamic entries will be shown as Incomplete, Reachable, Stale, Delay or Probe. It is recommended that you use Dynamic entries as default, though there are some instances where a Static entry is advised. An example would be when decommissioning a server and replacing it with another server sharing the old DNS Name and IP Address. In this instance, you may consider using a temporary static mapping for the new server in your Router ARP Tables. Then delete the old ARP Cache on your servers.

To view the Neighbor (ARP) Cache on a Windows Server 2008 box go to a Command Line and enter one of the following commands:

NETSH INTERFACE IPv4 SHOW NEIGHBORS
ARP -a

To delete the existing non-permanent ARP Cache entries on a Windows 2008 Server, use the following:

NETSH INTERFACE IPv4 DELETE NEIGHBORS

Or you can use:

ARP -d *

To add a permanent ARP Cache (Neighbor Cache) entry use one of the following:

NETSH INTERFACE IPv4 ADD NEIGHBORS InterfaceNameOrIndex IPAddress MACAddress STORE=ACTIVE|PERSISTANT
ARP -S IPAddress MACAddress InterfaceAddress

Summary:

Neighbor Cache (ARP Cache to us old guys) is a crucial, and often overlooked, component of networking. Having incorrect entries, or a corrupt cache, can cause flaky, inconsistent connectivity on your servers to certain addresses. This can be especially true when a NIC on a server fails over to a second NIC with a different MAC Address. Whenever I am troubleshooting network connectivity on a Windows Server, and the answer eludes my troubleshooting, I will review the Permanent mappings in this cache and delete the dynamic entries and let them rebuild themselves.

To review the ARP Cache on most CISCO Routers use the show arp command in EXEC mode. To review the ARP Cache on many CISCO Switches use the show mac-address-table command.

About

James Wright is a veteran IT professional who has spent the majority of his career as a Systems Administrator. James has also served as a Systems Analyst, Helpdesk Senior Technician and as a Programmer Analyst. This range of experience has allowed hi...

3 comments
alan_stiver
alan_stiver

The "show mac-address-table" command on Layer 2 switches maps mac addresses to switch ports. It does not map ip addresses to mac addresses. Still useful, but for a different purpose. In a similar way, the arp table on a Layer 3 switch won't tell you what physical port the device is found on, just the vlan.

delphi9_1971
delphi9_1971

When looking at the ARP cache, that the ARP cache is only relevant to the local subnet. Hosts that are reachable across a router in a different subnet are reached using the arp cache entry for the server's default gateway. Also, in the purest sense switches are layer 2 and ARP is a layer 3 protocol. The "show mac-address-table" command does not show a switch's arp cache. It shows the switch's forwarding table. You will not find IP addresses listed in the output of this command. In most layer 2 switches you will still find a "show arp" command but this will only show you the arp cache for the VLAN that the Management IP is a member of and it will only show you entries for hosts that have connected to the switch's Management IP. You will not see all hosts in that VLAN. A layer 3 switch will use the same "show arp" command to show the arp cache and the "show mac-address-table" command to show the forwarding table. Layer 3 switches may have more entries depending on how routing and the management VLANs are configured.

jawright
jawright

I appreciate your comments and I did misput "show mac-address-table" when I meant "show arp". Great catch!