Windows 2008 R2 Servers Sending Arp Requests for IPs outside Subnet

Solution 1:

If you don't see the ARP requests in Wireshark/Netmon then two additional sources for the ARP frames could be Broadcom's teaming driver (BASP) and OEM network manageability (Dell's DRAC and HP's iLo for example).

The Broadcom teaming driver includes a feature called "LiveLink" which uses ARP frames to verify network connections to remote systems (see http://support.dell.com/support/edocs/network/p29352/english/teaming.htm). If the user sets a LiveLink probe for an IP address outside of the local subnet then BASP will happily generate an ARP for that address. Of course, if the address is bogus then the team should indicate a failure on one or more of the NIC's used in the team.

Enterprise servers often have a dedicated Ethernet port for manageability. Lower cost servers may piggyback on the LOM port and send traffic through the same RJ-45 connector as Windows. If the management feature of the server is enabled but not configured correctly it may generate ARPs outside of the IP subnet used by the host. These ARP frames would also be invisible to Wireshark/Netmon. Most management solutions also work while the system is off so if you continue to see ARPs generated by a system when it's turned off then the management function may be the source.

Solution 2:

Your understanding of ARP is correct. A host shouldn't ARP for an ip address not in it's local subnet because it should know that the ip address is not local and therefore should know that the data needs to be sent to the default gateway. The only time I've ever seen this is with a host infected with malware.