Ask Your Question
0

My IEC61850 IED not responding to ARP request

asked 2019-06-10 07:31:30 +0000

Aravind gravatar image

Hi, I have SEL451IED (IEC61850 server) which is connected in a network. Network has 2 other devices, one Dell PC (IEC61850 Client) and a Kalkitech SYNC (IEC61850 Client) device. IP address of the devices are SEL451- 10.0.1.214, DELL PC- 10.0.1.216, Kalkitech SYNC-10.0.1.215

Kalkitech SYNC sends an ARP request "215 2019-06-08 02:03:40.791639 KalkiCom_00:cf:4a Broadcast ARP 60 Who has 10.0.1.214? Tell 10.0.1.215", and SEL451 does not respond to the request.

When DELL PC sends an ARP request then SEL451 replies back as "234 2019-06-08 02:03:43.325118 Schweitz_00:38:ba Dell_b4:0d:18 ARP 60 10.0.1.214 is at 00:30:a7:00:38:ba"

Wireshark packet captured during this condition is available in this link : https://www.dropbox.com/s/njx3pb99n58... .

Is there any error in the ARP request send by Kalkitech SYNC ? Can you help?

edit retag flag offensive close merge delete

Comments

I don't know that device, but is it possible that it has a configuration setting that restricts the IP addresses it will respond to? I don't see anything wrong with the failing request.

grahamb gravatar imagegrahamb ( 2019-06-10 14:04:47 +0000 )edit

SEL doesn't block any IP addresses. However I tried with a different IP address in SYNC, still it didn't communicate with SEL.

Aravind gravatar imageAravind ( 2019-06-18 12:31:14 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-06-10 14:08:05 +0000

Jaap gravatar image

Your problem is the capture setup. What I gauge from the capture is that it was taken on the Dell. So how is it supposed to see the unicast response from the SEL451 to the Kalkitech SYNC? When the network switch has already learned the MAC address of it the Kalkitech SYNC the switch port of the Dell won't get that frame, hence you cannot capture it.

So we're left with circumstantial evidence, the repeated ARP Request broadcast by the Kalkitech SYNC. But we don't know if either the SEL451 is not responding or the Kalkitech SYNC is not receiving it. The solution to that is to setup a capture point on the network switch, so you can actually see the ingress/egress traffic on the ports to and from the Kalkitech SYNC and SEL451.

edit flag offensive delete link more

Comments

I was using port mirroring during the capture.

Later I captured packets from SYNC using tcpdump. In this also SEL is not responding to ARP request. But at the same time I am able to ping other devices (WIndows PCs) in the same network from SYNC.

Aravind gravatar imageAravind ( 2019-06-18 12:24:46 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-06-10 07:31:30 +0000

Seen: 339 times

Last updated: Jun 10 '19

Related questions

Monitoring UDP data on wireshark shows ARP packet

Gateway keeps flooding the network with arp requests

display ARP and ICMP only

Is this source malicious?

Target Machine keeps losing connectivity when running a arpspoof/ettercat against it

tshark packet data not displaying

Protocol Hierarchy to analyze

ARP protocol in Handover

ARP Delay when pinging a local machine

graph for arps per second