Network connectivity and strange ARP issues
Hi all, I am not sure if this is the right place to post, but I am experiencing network wide connectivity issues that are very dynamic. I can access something for a few minutes, gone the next. The only thing I have been monitoring is the arp cache on my local PC. I cleared the cache and then monitored 3 of my servers address and noticed them changing like below: (each command run every few minutes) H:\>arp -a Interface: 10.1.4.168 --- 0xb Internet Address Physical Address Type 10.1.1.5 b4-07-f9-37-c8-76 dynamic 10.1.1.6 00-50-56-bd-00-03 dynamic 10.1.1.8 b4-07-f9-37-c8-76 dynamic Interface: 10.1.4.168 --- 0xb Internet Address Physical Address Type 10.1.1.5 b4-07-f9-37-c8-76 dynamic 10.1.1.6 b4-07-f9-37-c8-76 dynamic 10.1.1.8 c8-19-f7-64-2f-8f dynamic Interface: 10.1.4.168 --- 0xb Internet Address Physical Address Type 10.1.1.5 00-50-56-bd-00-04 dynamic 10.1.1.6 b4-07-f9-37-c8-76 dynamic 10.1.1.8 c8-19-f7-64-2f-8f dynamic Interface: 10.1.4.168 --- 0xb Internet Address Physical Address Type 10.1.1.5 b4-07-f9-37-c8-76 dynamic 10.1.1.6 b4-62-93-0a-a5-ab dynamic 10.1.1.8 b4-07-f9-37-c8-76 dynamic Interface: 10.1.4.168 --- 0xb Internet Address Physical Address Type 10.1.1.5 00-50-56-bd-00-04 dynamic 10.1.1.6 00-50-56-bd-00-03 dynamic 10.1.1.8 b4-07-f9-37-c8-76 dynamic Interface: 10.1.4.168 --- 0xb Internet Address Physical Address Type 10.1.1.5 00-50-56-bd-00-04 dynamic 10.1.1.6 00-50-56-bd-00-03 dynamic 10.1.1.8 b4-07-f9-37-c8-76 dynamic Interface: 10.1.4.168 --- 0xb Internet Address Physical Address Type 10.1.1.5 00-50-56-bd-00-04 dynamic 10.1.1.6 b4-62-93-0a-a5-ab dynamic 10.1.1.8 00-50-56-bd-00-02 dynamic As you can see those 3 servers are VM's running in VMware (ESXi 4.1 Host) - so the 00-50-56 is the correct mac address. But why would they be changing to b4 or c8 addresses? When they are on what appears the wrong mac address, I cannot ping or see these servers. My experience in layer 3 is limited. Do I have a suspect switch or suspicious behaviour on the network?
September 3rd, 2012 9:03pm

Just to add more information... I did a lookup on those b4-07-f9 and c8-19-f7 and they belong to Samsung - so probably an android device on the network. Checking in DHCP I can see records for those devices, but not on those IP address. The DHCP starts at 10.1.2.1 and above - well clear of the 10.1.x.x addresses. So why would an IP on the network get the mac address of a different device?
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2012 9:36pm

Hi, This type issue occurs may be caused by the ARP spoofing. We may use some ARP Protection software to prevent this type issue. In addition, we can bind the static IP with MAC address for each hosts and gateway on DHCP site. For more question, youd better to post the issue on Sever Forum. http://social.technet.microsoft.com/Forums/en/category/windowsserver/ Kim Zhou TechNet Community Support
September 5th, 2012 2:44am

Hi, This type issue occurs may be caused by the ARP spoofing. We may use some ARP Protection software to prevent this type issue. In addition, we can bind the static IP with MAC address for each hosts and gateway on DHCP site. For more question, youd better to post the issue on Sever Forum. http://social.technet.microsoft.com/Forums/en/category/windowsserver/ Kim Zhou TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2012 2:47am

Hi Kim, Yes I think you are right - or I have another idea. The suspect devices are "Unauthenticated" when they connect to the network. It is possible that initially have an old DHCP address from home which may match our own network. After they authenticate there is a IP conflict until a new DHCP lease is obtained. I can set static ARP addresses on the switches so the IP and MAC are static on the switch itself. I may do this for the core Domain Controllers, DNS and Gateway. Or I can shift the IP address to something unusual - not close to 192.168.1.x or 10.1.1.x if its an old DHCP lease issue.
September 6th, 2012 1:36am

Hi Kim, Yes I think you are right - or I have another idea. The suspect devices are "Unauthenticated" when they connect to the network. It is possible that initially have an old DHCP address from home which may match our own network. After they authenticate there is a IP conflict until a new DHCP lease is obtained. I can set static ARP addresses on the switches so the IP and MAC are static on the switch itself. I may do this for the core Domain Controllers, DNS and Gateway. Or I can shift the IP address to something unusual - not close to 192.168.1.x or 10.1.1.x if its an old DHCP lease issue.
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2012 1:39am

Hi, I think its possible which you mentioned. At this time, please test it and let us know the result. I do appreciate your effort.Kim Zhou TechNet Community Support
September 9th, 2012 10:07pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics