ARP requests from mikroik to non existing IP

n00b1 · October 14, 2018, 6:50am

Hello all,

Soon I used tcpdump and found that there are permanent ARP requests from my mikrotik searching for the following address : 192.168.1.2.
This IP was used long time ago as remote syslog server (rsyslog) , but it's not used anymore , and this IP is not existing.
....
09:26:03.581857 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell mikortik, length 46
....
I also removed system logging action which points to this IP address. So , mikrotik is not sending anymore UDP packages to this address.

Also this can't be cleared in the arp table at all:

[admin@MikroTik] > ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete

ADDRESS MAC-ADDRESS INTERFACE

3 D 192.168.1.2 bridge-local

When I set this to static , arp requests stops.

[admin@MikroTik] > /system routerboard print
routerboard: yes
model: 951G-2HnD
current-firmware: 6.43.2
upgrade-firmware: 6.43.2

Maybe I miss something ?

Any help would be greatly appreciated

Cheers

sindy · October 14, 2018, 10:23am

I would use /tool sniffer (as it is easier than to set up an external sniffer), set the static arp, and then see what the Mikrotik sends to that address in the sniffer output. You even don’t need to write into file if you set /tool sniffer set filter-ip-address=192.168.1.2, then /tool sniffer start, and then /tool sniffer packet print detail interval=1s to watch the result appear. I assume the address to be either configured as something else than logging action destination (dns, smtp server, snmp trap destination), or the now-deleted logging action to use TCP (such as where logging action target is set to email) and still have something in the buffer what was could not be delivered. From the destination port and protocol (tcp/udp) found in the sniff, you should be able to find out which case is relevant. Unless I’ve missed something, Mikrotik doesn’t support syslog over tcp so if it was the regular syslog over UDP, the buffer would have to get empty once you’ve set the static arp record for the first time, so new data to be sent would have to appear to make it send the ARP again and again. If the Mikrotik gets its IP configuration using DHCP, don’t forget that the DHCP server may provide it with DNS server addresses, NTP server addresses, …

n00b1 · October 16, 2018, 6:13am

I found the issue
I used tcpdump and found UDP packets , port 2055. Checked in google and saw that this is netflow.
There was a netflow enabled on the router and this IP was a target.
Аfter disabling this rule , there are no more requests , and also this аддресс disappeared in the ARP table.

Thank you for your suggestion sindy.