(English) Nagios check for number of ARP entries – arp entries on Checkpoint problem

I wrote a quick check for nagios, to check number of ARP-entries on a networkdevice.

Quick and simple, it uses snmpwalk and wc -l

The reason I made this, was that a checkpoint firewall-1 will have a default limit of 1024 arp-entries. One of my customers hit this limit on an internal firewall, causing all kind of strange network issues.

In /var/log/messages on the firewall, we saw;

kernel: Neighbour table overflow. (lots of these)

To fix this problem on the firewall, do this;

To enlarge the ARP cache entry table on-the-fly, run:

sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
sysctl -w net.ipv4.neigh.default.gc_thresh1=1024

To make these changes survive a reboot, modify the /etc/sysctl.conf file to include the following lines:

net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096

WARNING; DO NOT do a sysctl -w after this last change! -That will turn of routing on your firewall, making problems bigger then the ones you have!

So, to the script:
check_snmp_arp will return only ok/warn/error, and a number of arp entries, with added performanceoutput, so you can have nice graphs of your arp-tables, using something like pnp4nagios.

check_snmp_arp -H [ IP|HOSTNAME ] -C SNMPCOMMUNITY -w warning -c critical

./check_snmp_arp.pl -H hostname -C snmpkey -w 600 -c 800
Status is OK. Arp enries in memory: 219 |arp=219

  • Download it here; check_snmp_arp
  • Make executable, rename to .pl and run

You nagios-config should look something like this;

define service{
service_description ARP_Entries
use generic_service
check_command check_arp
define command{
command_name check_arp
command_line $USER2$/check_snmp_arp.pl -H $HOSTADDRESS$ -C $_HOSTSNMPCOMMUNITY$ -w 600 -c 800


Nagios | The Industry Standard in IT Infrastructure Monitoring

Leave a Comment