My IEC61850 IED not responding to ARP request

asked 2019-06-10 07:31:30 +0000

Hi, I have SEL451IED (IEC61850 server) which is connected in a network. Network has 2 other devices, one Dell PC (IEC61850 Client) and a Kalkitech SYNC (IEC61850 Client) device. IP address of the devices are SEL451-, DELL PC-, Kalkitech SYNC-

Kalkitech SYNC sends an ARP request "215 2019-06-08 02:03:40.791639 KalkiCom_00:cf:4a Broadcast ARP 60 Who has Tell", and SEL451 does not respond to the request.

When DELL PC sends an ARP request then SEL451 replies back as "234 2019-06-08 02:03:43.325118 Schweitz_00:38:ba Dell_b4:0d:18 ARP 60 is at 00:30:a7:00:38:ba"

Wireshark packet captured during this condition is available in this link : .

Is there any error in the ARP request send by Kalkitech SYNC ? Can you help?

I don't know that device, but is it possible that it has a configuration setting that restricts the IP addresses it will respond to? I don't see anything wrong with the failing request.

grahamb ( 2019-06-10 14:04:47 +0000 )

SEL doesn't block any IP addresses. However I tried with a different IP address in SYNC, still it didn't communicate with SEL.

Aravind ( 2019-06-18 12:31:14 +0000 )

answered 2019-06-10 14:08:05 +0000

Jaap

Your problem is the capture setup. What I gauge from the capture is that it was taken on the Dell. So how is it supposed to see the unicast response from the SEL451 to the Kalkitech SYNC? When the network switch has already learned the MAC address of it the Kalkitech SYNC the switch port of the Dell won't get that frame, hence you cannot capture it.

So we're left with circumstantial evidence, the repeated ARP Request broadcast by the Kalkitech SYNC. But we don't know if either the SEL451 is not responding or the Kalkitech SYNC is not receiving it. The solution to that is to setup a capture point on the network switch, so you can actually see the ingress/egress traffic on the ports to and from the Kalkitech SYNC and SEL451.

I was using port mirroring during the capture.

Later I captured packets from SYNC using tcpdump. In this also SEL is not responding to ARP request. But at the same time I am able to ping other devices (WIndows PCs) in the same network from SYNC.

Aravind ( 2019-06-18 12:24:46 +0000 )

