ARP Validation Feature Overview

Recently OS X 10.9 (Mavericks) was released. Along with this release, one of the un-mentioned features was a new security function that was put in place.

This new feature performs validation of ARP requests, which results in unicast ARP requests. These requests will time-out if the gateway on the host does not receive a timely response. Basically, it tries to validate if the gateway  is being redirected or spoofed. In the event that it does not receive a response, it assumes that the ARP request is no longer valid. The problem is that redundant gateways (HA-mode) are interpreted as such and results in dropped packets and perceived latency as fail-over occurs.

The issue

This new ARP validation implementation is more evident on gateways where the connectivity to the Core Routers are virtualized across multiple physical devices such as Cisco’s Hot Standby Routing Protocol (HSRP). This can be easily tested simply by going into Terminal and performing a ping to any accessible site, for example citrix.com:

>ping citrix.com

…..
Request timed out.
Request timed out.
Request timed out.
Request timed out….
Reply from citrix.com: bytes=32 time=55ms TTL=93
Reply from citrix.com: bytes=32 time=120ms TTL=93
Reply from citrix.com: bytes=32 time=87ms TTL=93
Reply from citrix.com: bytes=32 time=77ms TTL=93….
Request timed out.
Request timed out.
Request timed out.
Request timed out….
Reply from citrix.com: bytes=32 time=60ms TTL=93
Reply from citrix.com: bytes=32 time=56ms TTL=93
Reply from citrix.com: bytes=32 time=120ms TTL=93
Reply from citrix.com: bytes=32 time=116ms TTL=93….

Although this is not a Citrix issue directly, the dropped packets within Highly-Available networks, particularly within enterprise datacenters will result in perceived lag and Citrix applications appearing to not respond as they should. This will not only affect Citrix environments as they are run over network connections but it will also impact downloads and any web-related traffic.

The Solution 

This can be fixed by disabling unicast ARP requests within Mac OS X 10.9. To do this, within Terminal run the following commands:

sudo su
touch /etc/sysctl.conf
echo net.link.ether.inet.arp_unicast_lim=0 >> /etc/sysctl.conf
chown root:wheel /etc/sysctl.conf
chmod 0644 /etc/sysctl.conf

Optionally, the following script can be used: ARP.sh.

Note: After inputting the commands or running the script, a reboot might be necessary in order for the patch to apply properly.

Until Next Time

Feel free to leave a comment if this fix helped you or if there is any information that I might have mis-represented – I am human, after-all 😉

-Pablo

Pablo Legorreta, Architect, Citrix Consulting

Legal Disclaimer:

This software / sample code is provided to you “AS IS” with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software / sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software / sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software / sample code. In no event should the software / code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE software / SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the software / code belongs to Citrix, any distribution of the code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.