Why does my iPad get stuck making ARP requests?

ryan87

Hi,

I have an iPad that stops communicating with my network every once in a while.  It happens very rarely (~once per month) and I can't reproduce it, so it's been difficult to figure out what's going on.  It just happened and I was able to run tcpdump, so I'm wondering if anyone has ever seen anything similar or is able to offer any hints about what might be happening.

I have pfSense configured as an AP with the LAN and wireless bridged together.  I managed to capture the following traffic:

tcpdump -i bridge0 -n "host 192.168.32.200"

15:02:21.418164 ARP, Request who-has 192.168.32.254 tell 192.168.32.200, length 28
15:02:21.418201 ARP, Reply 192.168.32.254 is-at 02:d5:7c:xx:xx:xx, length 28
15:02:33.446982 ARP, Request who-has 192.168.32.254 tell 192.168.32.200, length 28
15:02:33.447017 ARP, Reply 192.168.32.254 is-at 02:d5:7c:xx:xx:xx, length 28
15:02:40.578003 ARP, Request who-has 192.168.32.254 tell 192.168.32.200, length 28
15:02:40.578043 ARP, Reply 192.168.32.254 is-at 02:d5:7c:xx:xx:xx, length 28
15:02:44.596063 ARP, Request who-has 192.168.32.254 tell 192.168.32.200, length 28
15:02:44.596110 ARP, Reply 192.168.32.254 is-at 02:d5:7c:xx:xx:xx, length 28
15:02:51.581573 IP 192.168.32.200.63694 > 192.168.32.254.53: 44567+ A? 25-courier.push.apple.com. (43)
15:02:52.341906 IP 192.168.32.254.53 > 192.168.32.200.63694: 44567 10/0/0 CNAME 25.courier-push-apple.com.akadns.net., CNAME us-courier.push-apple.com.akadns.net., A 17.143.162.87, A 17.143.162.80, A 17.143.161.20, A 17.143.161.165, A 17.143.160.226, A 17.143.163.227, A 17.143.162.220, A 17.143.161.220 (257)
15:02:53.617521 IP 192.168.32.200.63694 > 192.168.32.254.53: 44567+ A? 25-courier.push.apple.com. (43)
15:02:53.618261 IP 192.168.32.254.53 > 192.168.32.200.63694: 44567 10/0/0 CNAME 25.courier-push-apple.com.akadns.net., CNAME us-courier.push-apple.com.akadns.net., A 17.143.162.87, A 17.143.162.80, A 17.143.161.20, A 17.143.161.165, A 17.143.160.226, A 17.143.163.227, A 17.143.162.220, A 17.143.161.220 (257)
15:02:59.012678 ARP, Request who-has 192.168.32.254 tell 192.168.32.200, length 28
15:02:59.012720 ARP, Reply 192.168.32.254 is-at 02:d5:7c:xx:xx:xx, length 28
15:03:08.487106 ARP, Request who-has 192.168.32.254 tell 192.168.32.200, length 28
15:03:08.487156 ARP, Reply 192.168.32.254 is-at 02:d5:7c:xx:xx:xx, length 28
15:03:09.491732 ARP, Request who-has 192.168.32.254 tell 192.168.32.200, length 28
15:03:09.491786 ARP, Reply 192.168.32.254 is-at 02:d5:7c:xx:xx:xx, length 28
15:03:21.527089 ARP, Request who-has 192.168.32.254 tell 192.168.32.200, length 28
15:03:21.527123 ARP, Reply 192.168.32.254 is-at 02:d5:7c:xx:xx:xx, length 28

I have no connectivity on the iPad and it'll stay that way until I disable and re-enable the iPad's WiFi.  All my iPad does is make ARP requests except that DNS query right in the middle.  How is that possible?  How can the iPad make a successful DNS query to 192.168.32.254 when it's acting like it doesn't have an ARP entry for the same IP?

I also noticed that many apps think they're offline, even though I'm still associated to the AP.  Has anyone ever noticed anything similar with pfSense and / or iOS devices?

cmb

Odd looking. Is it just that one iPad? Other wireless devices fine?

It appears the ARP replies are being sent, but not all received on the iPad. What does it look like if you capture on the ath0_wlanX or whatever your WLAN interface is? That'll narrow it down a bit more to see whether it's making it from bridge0 to the wireless interface. Granted, I guess it'll be a while until it happens again.

johnpoz

Well clearly it must of gotten the arp that was being sent atleast long enough to send the query, and looks like got sent an answer as well.  I agree unless it know the mac, I do not see how it would of been able to send the dns query.

cmb

Yeah it got at least one of those replies, but not likely all given it kept retrying the ARP request.

ryan87

@cmb:

Odd looking. Is it just that one iPad? Other wireless devices fine?

I think it's just the one device, but I'm not positive.  In this case my Windows 10 laptop had issues at the same time, but it recovered very quickly (~30s).  I was connected to another machine on my LAN via RDP and saw a lot of latency.  Ex: Each key press would take 500-1000ms to show up on the other end.

I should have been clear, I don't necessarily think it's an issue with pfSense.  It's most likely an edge case where something doesn't recover correctly from a wireless error.  Since it happens so infrequently I might not ever track it down.

I'll definitely try capturing on the wlan interface the next time it happens.  I wish I would have thought of that yesterday.  Thanks for the suggestion.