Windows 2008 R2 Servers Sending Arp Requests for IPs outside Subnet
- by Kyle Brandt
By running a packet capture on my my routers I see some of my servers sending ARP requests for IPs that exist outside of its network.
For example if my network is:
Network: 8.8.8.0/24
Gateway: 8.8.8.1 (MAC: 00:21:9b:aa:aa:aa)
Example Server: 8.8.8.20 (MAC: 00:21:9b:bb:bb:bb)
By running a capture on the interface that has 8.8.8.1 I see requests like:
Sender Mac: 00:21:9b:bb:bb:bb
Sender IP: 8.8.8.20
Target MAC: 00:21:9b:aa:aa:aa
Target IP: 69.63.181.58
Anyone seen this behavior before? My understanding of ARP is that requests should only go out for IPs within the subnet... Am I confused in my understanding of ARP? If I am not confused, anyone seen this behavior?
Also, these seem to happen in bursts and it doesn't happen when I do something like ping an IP outside of the network.
Update:
In response to Ian's questions. I am not running anything like Hyper-V. I have multiple interfaces but only one is active (Using BACS failover teaming). The subnet mask is 255.255.255.0 (Even if it were something different it wouldn't explain an IP like 69.63.181.58).
When I run MS Network Monitor or wireshark I do not see these ARP requests. What happens is that on the router capturing I see a burst of about 10 requests for IPs outside of the network from the host machine. On the machine itself using wireshark or NetMon I see a flood of ARP responses for all the machines on the network. However, I don't see any requests in the capture asking for those responses.
So it seems like maybe it is maybe refreshing the arp cache but including IPs that outside of the network. Also when it does this NetMon doesn't show the ARP requests?