ARP Validation Feature
Recently OS X 10.9 (Mavericks) was released. With this version, one not mentioned characteristics was a new security feature that has been introduced.
This new feature makes the validation of ARP requests, causing unicast ARP requests. These applications will time-out if the gateway on the host does not receive a timely response. Basically, it tries to validate if the gateway is redirected or falsified. In case it does not receive a response, it assumes that the ARP request has expired. The problem is that redundant gateways (HA-mode) are interpreted as such and results in dropped packets and perceived latency failover occurs.
The question
This new ARP validation implementation is more evident on the runways where connectivity to basic routers are virtualized across multiple physical devices such as Hot Standby Routing Cisco Protocol (HSRP). This can be easily tested simply by going to the terminal and to ping an accessible site, such citrix.com:
> ping citrix.com
... ..
request has expired.
request has expired.
request has expired.
Request timed out ...
Response citrix.com :. bytes = 32 time = 55ms TTL = 93
Response citrix.com: bytes = 32 time = 0ms TTL = 93
Response citrix.com: bytes = 32 time = 87ms TTL = 93
response citrix.com: bytes = 32 time = 77ms TTL = 93 ....
request has expired.
request has expired.
request has expired.
Request timed out ...
Response citrix.com :. bytes = 32 time = 60ms TTL = 93
Response citrix.com: bytes = 32 time = 56ms TTL = 93
Response citrix.com: bytes = 32 time = 0ms TTL = 93
response citrix.com: bytes = 32 time = 116ms TTL = 93 ....
Although this is not a Citrix issue directly, packets lost in highly available networks, especially in corporate data centers translate perceived shift and Citrix applications appearing not respond as they should. This not only affects Citrix environments because they are running on network connections, but it will also have an impact and downloads all the linked web-traffic.
The solution
This can be fixed by disabling unicast ARP requests on Mac OS X 10.9. To do this, in the terminal run the following commands:
sudo su
touch /etc/sysctl.conf
net echo . link.ether.inet.arp_unicast_lim = 0 >> /etc/sysctl.conf
chown root: /etc/sysctl.conf[1945007deroue] chmod 0644 / etc / sysctl conf
option, the following script can be used: ARP.sh.
Note: After entering the command or script execution, a reboot may be required for the patch to be applied correctly.
Until next time
Feel free to leave a comment if this patch has helped you or if any information I might have hurt represented - I'm human, after all 😉
-Pablo
Pablo Legorreta, Architect, Citrix Consulting
Disclaimer:
This code / software sample is provided "AS iS" without representation, warranty or condition of any kind. You can use, modify and distribute at your own risk. CITRIX DISCLAIMS ALL WARRANTIES, EITHER EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software code / sample can introduce errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (B) it may not be possible to make the / example of fully functional software code; and (c) Citrix may, without notice or liability to you, cease to provide the current version and / or all future versions of the software code / sample. In any case, the software / code should be used to support ultra-hazardous activities, including but not limited to life support or blasting operations. CITRIX, ITS AFFILIATES OR AGENTS BE LIABLE FOR BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF ANY USE OF THE CODE software / SAMPLE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the software / code belongs to Citrix, any distribution of the code should include only your own standard award of copyright, and not that of Citrix. You agree to indemnify and defend Citrix against any claim arising from your use, modification or distribution of the code.
0 Komentar