Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ArpWatch troubleshooting

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 2 Posters 540 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Ive never been clear on what the ArpWatch messages are supposed to mean. For example, what i see on a consistent basis is the following
      68196083-5674-4741-b2a2-8ffa22b6f43f-image.png

      full_message
      <29>Jun 25 09:27:25 arpwatch[6990]: flip flop 0.0.0.0 00:11:32:c4:06:f5 (00:11:32:78:37:5b)

      Those two MACs are my Synology NAS. They have different static IP assignments, located on different switch ports on my switch.
      00:11:32:78:37:5b - Synology - Port13 - 192.168.3.2
      00:11:32:c4:06:f5 - Synology - Port7 - 192.168.3.3

      What is going on here? What is 0.0.0.0 ?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        0.0.0.0 is the IP address used in the ARP packet. Usually a DHCP client before it gets a lease for example.

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @stephenw10
          last edited by

          @stephenw10 So then..if i understand the syslog message correctly,
          IP 0.0.0.0 used to belong to hostA now it belongs to hostB
          But this is erroneous as both hosts have static IPs?
          How come i don't see this with clients on a DHCP managed network configured for Arpwatch?

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Maybe you have Disable 0.0.0.0 set in the ARPwatch settings?

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @stephenw10
              last edited by

              @stephenw10 Indeed i do.

              35c7762e-1a34-4b66-b05f-8a7016555538-image.png

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                That'll do it! 😉

                I have that set. Logging 0.0.0.0 changes is not really helpful IMO.

                M 1 Reply Last reply Reply Quote 1
                • M
                  michmoor LAYER 8 Rebel Alliance @stephenw10
                  last edited by

                  @stephenw10
                  Gotcha! Thank you
                  So with that enabled, will that help in understanding the syslogs I'm receiving from arpwatch? Thats the part I'm not getting which is why am i receiving these flip flop messages from statically IP assigned hosts.

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Yeah it's warning you that more than one MAC is using the same IP address which can obviously be a problem. But not when it's 0.0.0.0.

                    M 2 Replies Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @stephenw10
                      last edited by

                      @stephenw10
                      Def makes sense. Nice! Thank you once again for the quick response and the very helpful tip. Appreciate you !

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      1 Reply Last reply Reply Quote 0
                      • M
                        michmoor LAYER 8 Rebel Alliance @stephenw10
                        last edited by

                        @stephenw10
                        Looks like im still getting these alerts.

                        hostname: <unknown>
                        ip address: 0.0.0.0
                        ethernet address: 00:11:32:c4:06:f5
                        ethernet vendor: Synology Incorporated
                        old ethernet address: 00:11:32:78:37:5b
                        old ethernet vendor: Synology Incorporated
                        timestamp: Tuesday, June 25, 2024 14:58:10 -0400
                        previous timestamp: Tuesday, June 25, 2024 14:43:33 -0400
                        delta: 14 minutes

                        Anything i can do?

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          After set that checkbox? Hmm, try restarting arpwatch. Though I would have expected that to happen anyway...

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.