We had an incident recently that caused one of our Solaris 10 servers to send continues gratuitous arp requests when a server with the same ip address connected to the network. This almost brought down the whole network because the switches could not handle the amount of traffic being sent by the server. Here are the particulars of the server:
$ uname -a
SunOS host1 5.10 Generic_144488-08 sun4u sparc SUNW,Sun-Fire-V240
$ cat /etc/release
Solaris 10 10/09 s10s_u8wos_08a SPARC
Apr 19 12:18:12 pebble1xl ip: [ID 876157 kern.warning] WARNING: node 00:11:85:ba:48:c6 is using our IP address XXX.XXX.XXX.XXX on bge0
Apr 19 12:22:47 pebble1xl last message repeated 1480980 times
Apr 19 12:22:47 pebble1xl ip: [ID 567813 kern.warning] WARNING: bge0 has duplicate address XXX.XXX.XXX.XXX (claimed by 00:11:85:ba:48:c6); disabled
Apr 19 12:22:47 pebble1xl ip: [ID 636139 kern.notice] NOTICE: recovered address XXX.XXX.XXX.XXX on bge0
Apr 19 12:22:47 pebble1xl ip: [ID 567813 kern.warning] WARNING: bge0 has duplicate address XXX.XXX.XXX.XXX (in use by 00:11:85:ba:48:c6); disabled
Here is what a snoop found out:
14:40:16.719015 arp who-has host1.rjf.com (Broadcast) tell host1.rjf.com
This message was repeated thousands of times per second.
As you can tell from the /var/adm/messages file the message indicating that a server was using the IP address was repeated over a million times in 4 minutes and then the interface was disabled.
My question is why did it send out so many requests that it caused an arp storm and if this is a normal behavior, how do I throttle down the number of messages so as not to flood the network with these arp requests? Is this a behavior of the NIC or Solaris 10?
We found the culprit and fixed the problem but if this occurs again, we do not want the network to be flooded with messages.