I am having networking problems on a virtual Debian server. The VPS provider I think may be the cause of these network problems as it's a fairly new/fairly standard Debian install. However, as their technical support is useless, I'm trying to determine the cause of the network problems partially to prove that it isn't my mis-configuration and partially so I can direct their technical support vaguely in the right direction so I don't keep getting e-mails back telling me "it looks fine to us".
I actually have 2 virtual servers with this host. One is fine, the other frequently requires me to reboot the network otherwise I can't get any external connections (either in or out) and internal connections are dog slow.
I ran a tcpdump on the problem machine showing everything except my own ssh traffic, and the majority of the return was this, repeated over and over:
09:49:43.328322 ARP, Request who-has xxx.xxx.xxx.1 tell xxx.xxx.xxx.20, length 42
09:49:43.365528 ARP, Request who-has xx.xxx.xx.184 tell xx.xxx.xx.1, length 46
09:49:43.365662 ARP, Request who-has xxx.xxx.xxx.114 tell xxx.xxx.xxx.1, length 46
09:49:43.365760 ARP, Request who-has xx.xxx.xx.159 tell xx.xxx.xx.1, length 46
09:49:43.450859 ARP, Request who-has xx.xxx.xx.205 tell xx.xxx.xx.1, length 46
09:49:43.711473 ARP, Request who-has xx.xxx.xx.253 tell xx.xxx.xx.1, length 46
09:49:43.761538 ARP, Request who-has xx.xxx.xx.187 tell xx.xxx.xx.1, length 46
09:49:43.806078 ARP, Request who-has xx.xxx.xx.204 tell xx.xxx.xx.1, length 46
09:49:43.929437 ARP, Request who-has xx.xxx.xx.180 tell xx.xxx.xx.1, length 46
09:49:44.122110 ARP, Request who-has xxx.xxx.xxx.94 tell xxx.xxx.xxx.1, length 46
09:49:44.148619 ARP, Request who-has xx.xxx.xx.202 tell xx.xxx.xx.1, length 46
09:49:44.203619 ARP, Request who-has xx.xxx.xx.185 tell xx.xxx.xx.1, length 46
09:49:44.263640 ARP, Request who-has xx.xxx.xx.249 tell xx.xxx.xx.1, length 46
09:49:44.296925 ARP, Request who-has xx.xxx.xx.241 tell xx.xxx.xx.1, length 46
I ran a tcpdump on the other machine (the one that seems fine) and got back the same result. So perhaps this isn't the cause? If the other one is seemingly fine. Although I'm pretty sure having a constant stream of ARP requests isn't healthy?
If anyone can please tell me more on what these ARP requests are and whether they're likely to be causing problems – also anything else I should check to try and diagnose the problem further.
Thanks
Best Answer
This is pretty normal for an Ethernet network and most likely a red herring. xx.xxx.xx.1 is most likely checking if hosts are still connected to the network. this can be done for many reasons, such as clearing up space in the DHCP lease database, check for IP conflicts, network monitoring and such. A few ARP a second is not a problem. If you are dealing with a proper ARP flood you will typically see 10k+ ARP packets a second.
So you will probably have to look elsewhere for the source of your network problem.