This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a real odd situation when upgrading the network hardware in our office. I'm replacing a couple of small unmanaged switches and installing some web managed switches. The network is flat and consists of about 60 windows XP, 7 and 2008 hosts.

The existing switches consists of a TrendNET GB Switch with a uplink to two netgear 10/100 switches. I installed a Dell web managed 48 port GB switch, with an uplink to the Trendnet. After a short time, but sometimes days, the Dell switch will stop passing traffic on a random number of ports. The ports are dispersed around the switch and moving the Ethernet cable to another port will not correct the issue.

I can only correct it by installing the netgear 10/100 switches back on the trendnet switch and then move the failed connections, 10 maybe sometimes more, to another switch. I've replaced the Dell 3 times. The first time I thought it could be the switch. The second time I tried the switch in both managed mode and unmanaged mode, the third time we updated the firmware on the switch. All three times the situation is the same, after some time ports on the Dell switch will not pass traffic. Some will still continue to operate normally while others do not.

Now when this happens the client shows its connected but no access, even setting a fixed IP does not help. The ports on the switch appear normal, lights are on and blinking but you cant ping or access any other client on the network. If you move the connection to another switch, it comes up immediately.

Prior to replacing the 3rd Dell switch I ran WireShark on a laptop connected to the switch. I could not see any traffic that did not seem normal; typical ack, nack, DNS and ARP queries but nothing that stood out as unusual. I recently installed a HP Procurve 1800 GB switch, to replace the Dell, but it soon did the same as the Dell.

I'm hoping, if you read this far, someone might have a few suggestions as how I might use / connect WireShark in such a way as to help identify the cause of this very unusual behavior.

Thanks!!

asked 24 Jan '13, 07:56

mattinnc's gravatar image

mattinnc
11112
accept rate: 0%


This has the typical ring to it that usually comes with problems caused by having loops on the network, often related to the Spanning Tree configuration. If you capture on your network, did you see any spanning tree frames? You can filter on them using "stp", and result in BPDU frames showing up. If you do get those - they should show up every 2 seconds (or another regular interval) and they should always be exactly the same. If they're not or if a "topology chance" is flagged you might be in trouble - "might be" because spanning tree frames can also indicate harmless events.

permanent link

answered 24 Jan '13, 08:37

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper,

Thanks for posting. I did not remember seeing any STP packets but I wish I had kept the capture. I initially thought the same thing however I when using the new switches in unmanaged mode, I would not think they would be affected by spanning tree. Also the one time I had the dell switch in managed mode I did turn off spanning tree and did not see any different behavior.

I'll be installing another HP Procurve and although it does not support STP, I'm hoping I can mirror the ports and see what is happening.

(24 Jan '13, 09:30) mattinnc

Jasper

Thanks for he post. I did see some stp frames but nothing excessive. They were coming from the cisco router. Interestingly I installed a new HP switch and so far have not seen any issue although I'm not confident it's solved. When some clients loose connectivity it appears as thought they are connected but not traffic is seen from the NIC. If it comes up again I'll check the arp cache and see if it gives me a clue

(30 Jan '13, 09:18) mattinnc

some ideas. It could be STP misconfig (filter BPDU somewhere). Try to turn On STP on every device and every port. Have seen real nightmare when customer looped private-vlan port to public-port on some pvlan switch.

It could be host spoofing MACs of real hosts and flooding network. So switches filter those macs. Although Win will warn you in such case. Check mac-address-table on switches or turn on port-mac registration.

(30 Jan '13, 21:30) v_paranoid

Can the hosts access one another, or can they just not access things off the lan? Check the ARP entries on the host to make she they look correct. Secondly check the interface status on the switch. Make sure it is not Admin-Down Err-Disabled or other state.

permanent link

answered 24 Jan '13, 19:06

Magnus%20Mortensen's gravatar image

Magnus Morte...
56114
accept rate: 50%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×19
×12

question asked: 24 Jan '13, 07:56

question was seen: 16,567 times

last updated: 30 Jan '13, 21:30

p​o​w​e​r​e​d by O​S​Q​A