You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Product bug: unknown unicast traffic storms from thunderbolt displays

Hi All -


Periodically, a random Thunderbolt display will launch a wire rate unknown unicast traffic storm into our LAN and only stop when unplugged from the network. This typically leads to unicast flooding or at least massive trunk congestion (we now use Cisco's storm-control and block (unknown) unicast).


In any given event the transmitted frames are all the same and appear to be random data from memory. They make no sense as traffic: they have garbage MAC addresses and hence the "unknown unicast traffic storm".


We have very roughly 100 and about 1% malfunction this way once a week. We don't think it's the MBP behind the display because we switched to Thunderbolt ethernet adapters (directly on the MPBs) and have not seen an incident for over 7 weeks.


Here is a LogicMonitor record; the trailing edge of the event was when we unplugged the display.


User uploaded file


Here's what a packet capture looks like from the outage:


User uploaded file

Here is trace data from a different event.


User uploaded file


The destination MAC address is an ASCII string that spells out "vertcp". Although Wireshark identifies the frame type as LLC in the first example, we believe this to be a coincidence; it's a random 436-byte piece of firmware memory. A safe conclusion is that both the LLC tag and the completely invalid ethertype in the first event is just random. Nothing in the captured frames makes sense because they aren't ethernet frames, they are random data passed to the driver due to a bug.


Thanks

Branden

Posted on Jul 10, 2014 5:11 PM

Reply
14 replies

Feb 10, 2015 4:53 PM in response to Branden Stanke

Following up on my last post, I forgot to add in my case we see between 8.5-9.5K packets/second when this happens. Here is an excerpt from my wireshark trace:

User uploaded file


I now have a case open with Apple on this.


All I can suggest to folks is if you have a large set of Thunderbolt displays at your company you're bound to see this sooner or later, so implement storm control if you haven't already.

Aug 6, 2014 11:59 AM in response to Branden Stanke

Same problem here. It only happens when attached to the network through a thunderbolt display. Both MacBook Airs and MacBookPros have been observed doing this. It's been bad at times as our switches flood the traffic to all ports on the same VLAN (we are now sending 0000.0000.0000 to null0 on our access switches to minimize the impact). I can repeatably create the error condition every time by simply rebooting the attached MacBook.

Dec 12, 2014 7:17 AM in response to Branden Stanke

We have experienced the same issue with increasing frequency as more Thunderbolt displays are introduced into our environment in the last year. On a gigabit port, the display has no problem generating 800mbit/s or more of traffic (~500kpps) - which is then flooded to every port in the same VLAN (~400 user ports in our case). For 100mbit/s users, this essentially floods them off the network.


Here is a detail I don't see mentioned above -- this happens even when a laptop/computer is not connected to the display. The first case we had of this happening was with a display that had no thunderbolt parent device attached. Shutting down the switchport and no-shutting it (bouncing the link on the display) resolves this until the next time it happens.


It looks like whatever crap resides in various buffers is used to construct the resulting Ethernet frames. I did not perform a packet capture this time, but the last time it happened the entire Ethernet header was null bytes with the body being mostly-null but the same random-looking noise in the rest of the frame. The frame was interpreted by Wireshark and others as a type of Fiber Channel, but I think that was just the default case that matched many of the null characteristics. The exact same frame was reflected in each packet sent (as opposed to each frame being different/randomized from the predecessor)

Feb 10, 2015 1:48 PM in response to Branden Stanke

Well we've seen this too. I've actually been dealing with this for about a month and finally concluded it was the Thunderbolt monitor as opposed to a faulty switch port, etc. We've now seen it on at least two displays and had to implement storm control on our Ciscos to combat it. In wireshark we see:


Frame 678838: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0

Ethernet II, Src: IfmElect_00:00:00 (00:02:01:00:00:00), Dst: 00:00:00_00:01:b8 (00:00:00:00:01:b8)

Type: Unknown (0x4000)

Data (76 bytes)

Data: 0001333300000016a820664a180386dd6000000000240001...


The source, destination and data is always the same and I believe an exact match for what we saw on both Thunderbolt displays.


Question is, has anyone pursued this with Apple and is there an explanation and fix?

Feb 19, 2015 7:50 AM in response to mclovinn

mclovinn, would you mind sharing your Apple case number? I am putting in a case for my company and would like to be able to provide them with proof that this is not just a one-off issue. The more examples they see of this issue, the more likely they are to actually look into the root cause.


Another note, I had talked to an Apple support member several weeks ago regarding the issue. They had suggested to make sure that the displays are updated to the latest firmware, 1.2. After that, I checked one of the displays that had experienced this issue. It did not have the newest firmware so I updated it but, just this morning, the same display had the issue again. So the latest firmware patch is not a fix for this problem.

Apr 29, 2015 7:10 AM in response to CNVRHelpDesk

We continue to have this issue - this morning we had our 4th unique thunderbolt (but each has been responsible for numerous instances) display knock major parts of our network offline by sending a huge stream of junk traffic (which was treated as unknown unicast).


We will continue to apply pressure on Apple Support and our account rep regarding this; it would be beneficial if anyone else experiencing this did the same and shared their case numbers

Jun 30, 2015 7:45 PM in response to jakmobile

Out of curiosity, has anyone noticed any seeming correlation with Yosemite? Or, put another way, have folks seen this problem with monitors that have been connected to Macs running on 10.9 or below? I realize it seems to be primarily a display issue, but just wondering.


Thanks!


PS, we've seen this issue once in my place of work. Took down a big chunk of the network; so we unplugged the display from the network. NetOps reported excessive multicast traffic from the laptop/display pair a couple of weeks before the unicast storm; so we had been looking at discoveryd. But the unicast stuff was really malformed so we kind of went in another direction. But I note Apple got rid of discoveryd in 10.10.4 so it made me curious about it again.

Aug 19, 2015 10:28 AM in response to Branden Stanke

Hi All,


FWIW, I haven't heard of any fixes from Apple and never got any feedback from them. I also experienced this issue with Thunderbolt Displays on different firmware versions. We have hundreds of these displays around our offices, and the way that I've dealt with this issue is by plugging ethernet cords into thunderbolt adapters and then plugging those adapters into the back of the Thunderbolt Displays. I don't plug ethernet directly in anymore...


As best practice, I now turn broadcast & multicast storm control on all of our access layer switches. I also rebuilt our network with stack switches and minimized my exposure my reducing the size of my broadcast domains (creating more VLANS and laying them out more logically). I hope that helps anyone else that might run across this issue.

Oct 16, 2015 8:56 AM in response to Branden Stanke

We had this issue again earlier this week so I contacted Apple support and they said that they "believe" the issue is actually in the OS on the MAC not an actual issue with the display. They suggested upgrading to 10.11 (El Capitan) and believe the fix is in the OS. If any of you out there experience this issue on El Capitan, please post it here and contact support so they are aware.

Nov 5, 2015 8:20 AM in response to jakmobile

To add additional information;


We have found that as stated in the original post, using a thunderbolt to ethernet adapter solves the issue. For about 4 months we only had 1 display causing trouble. We connected a thunderbolt to ethernet adapter to the monitor and haven't had further trouble. We had a different display exhibit the same trouble last week. We also moved him to an adapter and haven't seen the issue. I'll report back when I have more information but I don't believe I'll see the trouble again. I suppose this doesn't rule out the OS as the issue since it could be a bug with 10.10 and a thunderbolt display. We aren't ready to allow our users to upgrade to 10.11 yet. When we do, I'll remove the adapters and see if the trouble comes back. My hunch is that this has nothing to do with the OS and is a batch of faulty NIC hardware in the displays.

Jun 30, 2016 9:33 PM in response to Branden Stanke

We started seeing this in mid to late 2014. There would be a traffic flood of around 700,000 pps, to and from a MAC address starting with 6000. Each time we tracked down the offender, it would be a Thunderbolt running Yosemite. Very odd thing is it would always happen on Monday early afternoon, say around 1:30.


A good work-around from the network side if you're running Cisco switches is the Storm Control feature. Since this is unicast traffic, something like "storm-control unicast level pps 200k" on all desktop ports should catch it in the act.


I'm somewhat skeptical Apple actually identified and fixed this in El Capitan. This is essentially a network denial of service attack somehow tied to hardware, and really should have been fixed openly via a driver update. Given problems we've had with El Capitan related to Office, we won't be upgrading anytime soon.

Product bug: unknown unicast traffic storms from thunderbolt displays

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.