I wrote a quick check for nagios, to check number of ARP-entries on a networkdevice.
Quick and simple, it uses snmpwalk and wc -l
The reason I made this, was that a checkpoint firewall-1 will have a default limit of 1024 arp-entries. One of my customers hit this limit on an internal firewall, causing all kind of strange network issues.
In /var/log/messages on the firewall, we saw;
kernel: Neighbour table overflow. (lots of these)
To fix this problem on the firewall, do this;
To enlarge the ARP cache entry table on-the-fly, run:
sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
sysctl -w net.ipv4.neigh.default.gc_thresh1=1024To make these changes survive a reboot, modify the /etc/sysctl.conf file to include the following lines:
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096WARNING; DO NOT do a sysctl -w after this last change! -That will turn of routing on your firewall, making problems bigger then the ones you have!
So, to the script:
check_snmp_arp will return only ok/warn/error, and a number of arp entries, with added performanceoutput, so you can have nice graphs of your arp-tables, using something like pnp4nagios.
./check_snmp_arp.pl
check_snmp_arp -H [ IP|HOSTNAME ] -C SNMPCOMMUNITY -w warning -c critical./check_snmp_arp.pl -H hostname -C snmpkey -w 600 -c 800
Status is OK. Arp enries in memory: 219 |arp=219
- Download it here; check_snmp_arp
- Make executable, rename to .pl and run
You nagios-config should look something like this;
define service{
service_description ARP_Entries
use generic_service
check_command check_arp
}
define command{
command_name check_arp
command_line $USER2$/check_snmp_arp.pl -H $HOSTADDRESS$ -C $_HOSTSNMPCOMMUNITY$ -w 600 -c 800
}
I wrote a quick check for nagios, to check number of ARP-entries on a networkdevice.
Quick and simple, it uses snmpwalk and wc -l
The reason I made this, was that a checkpoint firewall-1 will have a default limit of 1024 arp-entries. One of my customers hit this limit on an internal firewall, causing all kind of strange network issues.
In /var/log/messages on the firewall, we saw;
kernel: Neighbour table overflow. (lots of these)
To fix this problem on the firewall, do this;
To enlarge the ARP cache entry table on-the-fly, run:
sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
sysctl -w net.ipv4.neigh.default.gc_thresh1=1024To make these changes survive a reboot, modify the /etc/sysctl.conf file to include the following lines:
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096WARNING; DO NOT do a sysctl -w after this last change! -That will turn of routing on your firewall, making problems bigger then the ones you have!
So, to the script:
check_snmp_arp will return only ok/warn/error, and a number of arp entries, with added performanceoutput, so you can have nice graphs of your arp-tables, using something like pnp4nagios.
./check_snmp_arp.pl
check_snmp_arp -H [ IP|HOSTNAME ] -C SNMPCOMMUNITY -w warning -c critical./check_snmp_arp.pl -H hostname -C snmpkey -w 600 -c 800
Status is OK. Arp enries in memory: 219 |arp=219
- Download it here; check_snmp_arp
- Make executable, rename to .pl and run
You nagios-config should look something like this;
define service{
service_description ARP_Entries
use generic_service
check_command check_arp
}
define command{
command_name check_arp
command_line $USER2$/check_snmp_arp.pl -H $HOSTADDRESS$ -C $_HOSTSNMPCOMMUNITY$ -w 600 -c 800
}