This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Duplicate IP address detected but mac doesn’t exist

0
1

I am getting IP address conflicts all over network for months. Trying to locate but not making progress. Wireshark packets indicate duplicate Ip address in use. For example:

duplicate ip address detectect for 192.168.1.1 (cc:52:af:0d:5f:d6) also in use by 02:cb:13:0d:5f:d6) frame (1102).

I look at frame 1102 and sure enough it has an ARP asking who has IP address 192.168.1.254 (happens to be gateway) to please tell 192.168.1.1 but of course the Mac address is not correct.

I check the DHCP server, 192.168.1.1 has not been assigned. The station that should get it doesn't get anything except a windows error telling it there is a conflict.

When I telnet to each switch in the path and check mac address for 02:cb:13:0d:5f:d6 sometimes it actually exists and always it traces back to one of many ARUBA wireless 135 devices we have deployed (not always same aruba, many times not). Sometimes though the mac address doesn't even exist. When it does tie back to aruba, in every single case that mac address is not connected to any aruba devices, I can see from our console that it is not there.

I know addresses that start with 02 are locallly administered addresses. I'm assuming we have an infested machine somewhere but how to locate when the mac address no where to be found?

asked 02 Oct '13, 13:35

jim%20fixit's gravatar image

jim fixit
1121
accept rate: 0%


2 Answers:

1

There is another guy with the same problem. Aruba APs, duplicate IPs with MAC addresses starting with 02:

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Duplicate-DHCP-addresses-when-connecting-two-AP105-s/m-p/55984

Cite: One MAC address is the original MAC address of the laptop and the other MAC address is a phantom address starting with 02:....

So, this seems to be an internal (maybe documented or not) feature of the Aruba APs.

I'm assuming we have an infested machine somewhere but how to locate when the mac address no where to be found?

I don't think so.

You should contact the Aruba support and ask them about that behavior.

Please update here as well. Might be interesting for others sometime ;-)

++ UPDATE ++

Wait a moment. MAC address starting with 02:... That reminds me on something. Microsoft NLB.

http://technet.microsoft.com/de-de/library/ff849728.aspx

Cite:

To identify NLB-enabled hosts when using switch or network tracing software look for MAC addresses that start with 02. The masked MAC address is similar to the original MAC address, but with the first two fields replaced as follows: 02-[Host ID including zero]-[Original MAC address values]. 

Hm... do you have any NLB enabled systems on that network?

Regards
Kurt

answered 07 Oct '13, 15:01

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 07 Oct '13, 16:25

(31 Oct '15, 12:51) Rooster_50

0

If you have many "Duplicate IP address detected" messages, I would start by collecting these over a period of time and try to find a pattern. Which IP addresses are involved and which are not. Which mac-addresses are involved and how do they relate to the each other. If there is a pattern in the mac-addresses, you might be able to create a capture filter for it. Or better, you might be able to create an ACL on your network devices to log packets that match. Did you obfuscate the mac-addresses or are they literally the ones you did see on the network. Assuming they were not obfuscated, I find the fact that the last 3 octets of the mac-address are the same noteworthy.

Since ARP requests are broadcast, you will see them everywhere. You might want to isolate by making traces on a span port only spanning the incoming packets. That way you can at least isolate where the packets are actually coming from. But you might already have done that as you say it always comes from one of the Aruba AP's.

answered 04 Oct '13, 01:18

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%