Developer

Look to the ARP Cache when troubleshooting flaky connectivity issues

James Wright shows how the ARP Cache, now called the Neighbor Cache in Windows Server 2008, can often be the key in troubleshooting any inconsistent connectivity issues.

In today's post we are going to talk about managing the ARP Cache on Windows Server 2008. In the newest version of Microsoft's Server OS the ARP Cache is now called the Neighbor Cache, and though it operates a little differently than in previous versions of Server, it still provides the same basic functionality. Next, we should briefly go over what ARP is and why it is important.

ARP (Address Resolution Protocol) is the portion of the TCP/IP Stack that maps IP Addresses to MAC Addresses. It is like the Yin to DNS' Yang, if you will. When a system call is made to a DNS Hostname, the request is first passed through DNS to get the IP Address for the Hostname. Then the IP Address is passed thru the local ARP Cache to get the MAC Address for the device. If the ARP mapping cannot be resolved locally, an ARP Request is sent out. Layer 3 Switches and Routers store their own ARP Caches and are managed separately.

What are some clues that you may have a corrupt or incorrect entry in the Neighbor Cache? Inconsistent ICMP Request responses for connectivity and "Web Site cannot be displayed" errors for a particular site when you know this site is up and running. Basically, the Neighbor cache should be a suspect with any inconsistent connectivity issue to a system that is known to be up and running, when the DNS Records have been confirmed to be correct.

The ARP Cache (Neighbor Cache) can contain two basic types of entries; Permanent entries (Static entries), and Dynamic entries. Dynamic entries will be shown as Incomplete, Reachable, Stale, Delay or Probe. It is recommended that you use Dynamic entries as default, though there are some instances where a Static entry is advised. An example would be when decommissioning a server and replacing it with another server sharing the old DNS Name and IP Address. In this instance, you may consider using a temporary static mapping for the new server in your Router ARP Tables. Then delete the old ARP Cache on your servers.

To view the Neighbor (ARP) Cache on a Windows Server 2008 box go to a Command Line and enter one of the following commands:

NETSH INTERFACE IPv4 SHOW NEIGHBORS
ARP -a

To delete the existing non-permanent ARP Cache entries on a Windows 2008 Server, use the following:

NETSH INTERFACE IPv4 DELETE NEIGHBORS

Or you can use:

ARP -d *

To add a permanent ARP Cache (Neighbor Cache) entry use one of the following:

NETSH INTERFACE IPv4 ADD NEIGHBORS InterfaceNameOrIndex IPAddress MACAddress STORE=ACTIVE|PERSISTANT
ARP -S IPAddress MACAddress InterfaceAddress

Summary:

Neighbor Cache (ARP Cache to us old guys) is a crucial, and often overlooked, component of networking. Having incorrect entries, or a corrupt cache, can cause flaky, inconsistent connectivity on your servers to certain addresses. This can be especially true when a NIC on a server fails over to a second NIC with a different MAC Address. Whenever I am troubleshooting network connectivity on a Windows Server, and the answer eludes my troubleshooting, I will review the Permanent mappings in this cache and delete the dynamic entries and let them rebuild themselves.

To review the ARP Cache on most CISCO Routers use the show arp command in EXEC mode. To review the ARP Cache on many CISCO Switches use the show mac-address-table command.

About

James Wright is a veteran IT professional who has spent the majority of his career as a Systems Administrator. James has also served as a Systems Analyst, Helpdesk Senior Technician and as a Programmer Analyst. This range of experience has allowed hi...

Editor's Picks