ARP table is approaching its limits: Check Point Firewalls Configuration Alert Guide

This is a real life sample alert from the indeni configuration alert guide for Check Point Firewalls.

Description:

The device’s ARP cache is approaching its limit. Currently, there are 2046 entries in the ARP cache, while the limit is 2048 (99.0% is in use). The device is approaching a situation where some ARP entries will not be entered into the ARP table or some entries will be removed prematurely. Network connectivity will be affected.

To learn more about what is causing this, read about ARP Neighbour Overflow on blog.lachmann.org.

indeni will re-check this alert every 1 minute. If indeni determines the issue has been resolved, it will automatically be flagged as such.

Manual Remediation Steps:

Identify the cause of the large ARP cache. If it is due to a legitimate cause, such as a high number of hosts visible on the available networks, you should double the values of each of the following sysctl parameters:
net.ipv4.neigh.default.gc_thresh1
net.ipv4.neigh.default.gc_thresh2
net.ipv4.neigh.default.gc_thresh3
This can be done by updating /etc/sysctl.conf with the new values (the old ones are accessible by executing cat /proc/sys/net/ipv4/neigh/default/gc_thresh*) and running sysctl -p.

For more information please read SK43772.

How does this alert work?

indeni continuously monitors the values of the gc_thresholds mentioned above as well as the size of the ARP table (counting the number of entries resulting from “arp -an”). If the number of ARP entries is at least 80% of the total number of entries allowed, indeni alerts. indeni does NOT rely on the log message “Neighbor table overflow” as that tends to be too late – traffic is already lost at that point.

Leave a Reply