Syslog repeats - "Kernel: arp: 'ip' moved from 'MAC' to 'MAC'"

mhab12 · Mar 29, 2007, 7:10 PM

I have two servers behind my pfSense box that both have 'teamed' Realtek server gigabit NICs (10.21.1.4 and 10.21.1.6, see below). It seems that they are filling up the syslog as the pfSense box sees them move between the two physical NICS in each of the clients. Is this a problem, should I be worried, and what can I do to make the system ignore or otherwise delete these log entries? A tiny sample follows:

Mar 29 11:28:03 kernel: arp: 10.21.1.4 moved from 00:e0:81:2a:11:16 to 00:e0:81:2a:11:17 on rl0
Mar 29 11:29:38 kernel: arp: 10.21.1.6 moved from 00:e0:81:41:46:f6 to 00:e0:81:41:46:f7 on rl0
Mar 29 11:29:38 kernel: arp: 10.21.1.6 moved from 00:e0:81:41:46:f7 to 00:e0:81:41:46:f6 on rl0
Mar 29 11:30:13 kernel: arp: 10.21.1.6 moved from 00:e0:81:41:46:f6 to 00:e0:81:41:46:f7 on rl0
Mar 29 11:31:13 kernel: arp: 10.21.1.4 moved from 00:e0:81:2a:11:17 to 00:e0:81:2a:11:16 on rl0
Mar 29 11:31:48 kernel: arp: 10.21.1.4 moved from 00:e0:81:2a:11:16 to 00:e0:81:2a:11:17 on rl0
Mar 29 11:32:23 kernel: arp: 10.21.1.4 moved from 00:e0:81:2a:11:17 to 00:e0:81:2a:11:16 on rl0

sullrich · Mar 29, 2007, 7:50 PM

Your "team" is not setup correctly. It is seeing both hosts on both nics.

hoba · Mar 29, 2007, 9:13 PM

There are different teaming modes for this kind of setup. Some require to be supported by the switch you connect the 2 links to. If the switch doesn't support it things like this can happen. To hide this from your logs you can tick the surpress arp-messages box at system>advanced. However changing the config of your teams/switch to not act like this would be the proper fix.

mhab12 · Mar 29, 2007, 11:33 PM

I found the feature via the web interface of my DLink 1248T switch. I know I'm getting OT, but would I leave my team enabled on the server and then 'trunk' the two ports via the switch as well? I'll give it a try this weekend and let you guys know. Thanks for the prompt replies. Keep up the great work.

sullrich · Mar 30, 2007, 4:14 AM

For the record pfSense does not accept teaming configurations from the webConfigurator so either way you do not want to enable teaming on the pfSense switch port.

mhab12 · Mar 30, 2007, 2:56 PM

Right, I just meant for the two pfSense clients that are setup as teams right now. My use of client/server was anything but proper considering the audience. Thanks again.

cmb · Apr 6, 2007, 12:08 AM

This is normal with certain team configurations. It's usually an indication of a problem or security issue to see something like this in a network, which is why it's logged, but in this case if your team config is working as you desire you should just ignore it, or disable it on the Advanced page.

mhab12 · Apr 6, 2007, 3:46 PM

By 'disable it on the advanced page' you mean the 'shared physical network' check box to supress ARP messages? I marked the box but am still seeing the errors in the log. Does that option require a reboot or restart of some service?

hoba · Apr 6, 2007, 3:55 PM

Yes, that box should do the trick. Shouldn't require a reboot but maybe we do not restert the service. Try saving the syslog settings at status>systemlogs, settings and see if this makes the messages go away.

sullrich · Apr 6, 2007, 3:59 PM

I fixed a bug in this area recently. Upgrade to a recent snapshot and select the option hoba suggested.