The  ESWD_DAI_FAILED message reports that dynamic ARP inspection (DAI) failed on the packet received on the port specified by the log message.

When an ESWD_DAI_FAILED event occurs, a message similar to the following is reported:

DAI examines the ARP requests and responses on the LAN and validates the ARP packets. The switch intercepts ARP packets from an access port and validates them against the DHCP snooping database. If no IP-MAC entry in the database corresponds to the information in the ARP packet, DAI drops the ARP packet, and the local ARP cache is not updated with the information in that packet. DAI also drops ARP packets when the IP address in the packet is invalid. For packets directed to the switch to which a network device is connected, ARP queries are broadcast on the VLAN. The ARP responses to those queries are subjected to the DAI check.

If the ARP request/response is received on the port specified in the message, it cannot be linked to any of the IPs assigned by DHCP, and all the traffic flowing through this interface will be dropped. Also, if the DHCP server goes down and the lease time for an IP-MAC entry for a previously valid ARP packet runs out, the packet is blocked.

Perform these steps to determine the cause and resolve the problem (if any):

1. Collect the show command output to help determine the cause of this message.

Capture the output to a file (in case you have to open a technical support case). To do this, configure each SSH client/terminal emulator to log your session.

2. Analyze the show command output.

Identify the interface for which this message is logged. The above outputs will help understand the DHCP bindings and the ARP statistics configured on the device, which can then be compared with the interface-name and other values in the log message. Look for any related events that occurred at or just before the ESWD_DAI_FAILED message in the syslog outputs.

3. If possible, check the interfaces and configure DAI, followed by a reboot.


4. Unless required, remove the DAI configuration from the interface/VLAN in question.

5. If you would like to provide a Layer 2 security feature on your access switch, make sure that the required IP/MAC is registered in the DHCP database.

You can verify this from the commands given in Step 1.

About the author


Leave a Comment