Kernel: Arp moved from - to

z3r0x

@wallabybob:

You probably have two devices with the same IP address. This can happen in a variety of ways including:
1. a device has been configured with a static IP  address that is inside the dynamic IP address range of the DHCP server.
2. You have two (or more) DHCP servers on the same network and they have overlapping address pools
3. you have two devices configured with the same IP address.
4. you have a device with two interfaces (perhaps wired and wireless) and the same IP address configured on each interface (possibly DHCP configured) and the device is switching between interfaces.

Hi. Apple TV is using DHCP. There is only 1 DHCP running and no one is using the same ip. But what I have seen when sniffing with Wireshark was something with IPv6. I have added a txt file. Maybe this tells you more? I don't remember doing anything with ipv6.

dump.txt

heper

@serialdie: i'm guessing you have a hardware failure (broken networkcard/cabling/…) mac address 00:00:00:00:00:00 is invalid

@z3r0x: both mac addresses you mention are from apple hardware. the logs indicate both devices (or 1 device using multiple interfaces) compete for the same address.
ipv6 does not have ARP, so it can not be involved - ipv6 has NDP (similar purpose, not the same)
http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

jasonlitka

@z3r0x:

Hi

I have quite a lot of these messages in the logfile

kernel: arp: 10.0.10.19 moved from 58:55:ca:39:e3:19 to 00:24:36:a3:28:2f on lagg0_vlan110
kernel: arp: 10.0.10.19 moved from 00:24:36:a3:28:2f to 58:55:ca:39:e3:19 on lagg0_vlan110

lagg0 is configured with LCAP.

Is this something to worry about or just normal?

Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

cmb

@Jason:

Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

Wow, really? Why's that? Odd that effectively the symptoms of an IP conflict would be normal, but I recall seeing that once on my home network also between two Apple vendor MACs. Don't have a time capsule or AirPort Extreme, have 2 Apple TVs, a couple iPhones, couple iPads, couple MacBook Pros, and an iMac. At the time I didn't even have time to check which MAC went to which device, and it hasn't recurred so I haven't bothered digging into it.

jasonlitka

@cmb:

@Jason:

Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

Wow, really? Why's that? Odd that effectively the symptoms of an IP conflict would be normal, but I recall seeing that once on my home network also between two Apple vendor MACs. Don't have a time capsule or AirPort Extreme, have 2 Apple TVs, a couple iPhones, couple iPads, couple MacBook Pros, and an iMac. At the time I didn't even have time to check which MAC went to which device, and it hasn't recurred so I haven't bothered digging into it.

It's a "feature" and part of the Bonjour Sleep Proxy.

http://support.apple.com/kb/HT3774

Also:

https://discussions.apple.com/thread/2160614
http://blog.martinshouse.com/2009/11/apple-time-capsule-steals-ip-addresses.html?m=1
http://en.usenet.digipedia.org/thread/16243/200/

serialdie

@Jason:

@cmb:

@Jason:

Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

Wow, really? Why's that? Odd that effectively the symptoms of an IP conflict would be normal, but I recall seeing that once on my home network also between two Apple vendor MACs. Don't have a time capsule or AirPort Extreme, have 2 Apple TVs, a couple iPhones, couple iPads, couple MacBook Pros, and an iMac. At the time I didn't even have time to check which MAC went to which device, and it hasn't recurred so I haven't bothered digging into it.

It's a "feature" and part of the Bonjour Sleep Proxy.

http://support.apple.com/kb/HT3774

Also:

https://discussions.apple.com/thread/2160614
http://blog.martinshouse.com/2009/11/apple-time-capsule-steals-ip-addresses.html?m=1
http://en.usenet.digipedia.org/thread/16243/200/

Ha! That makes sense.
I have bonjour enable on my nas and thats the IP of the nas.

Thanks.

joako

@Jason:

@cmb:

@Jason:

Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

Wow, really? Why's that? Odd that effectively the symptoms of an IP conflict would be normal, but I recall seeing that once on my home network also between two Apple vendor MACs. Don't have a time capsule or AirPort Extreme, have 2 Apple TVs, a couple iPhones, couple iPads, couple MacBook Pros, and an iMac. At the time I didn't even have time to check which MAC went to which device, and it hasn't recurred so I haven't bothered digging into it.

It's a "feature" and part of the Bonjour Sleep Proxy.

http://support.apple.com/kb/HT3774

Also:

https://discussions.apple.com/thread/2160614
http://blog.martinshouse.com/2009/11/apple-time-capsule-steals-ip-addresses.html?m=1
http://en.usenet.digipedia.org/thread/16243/200/

If we disable the sleep proxy "feature" on all the MACs will the errors go away?

bardelot

If you just want those messages not to appear in the log add the system tunable "net.link.ether.inet.log_arp_movements" and set its value to 0.

jasonlitka

@joako:

If we disable the sleep proxy "feature" on all the MACs will the errors go away?

No. The issue is with the TC and AE, not the Macs, and you can't disable that feature on them.

@bardelot:

If you just want those messages not to appear in the log add the system tunable "net.link.ether.inet.log_arp_movements" and set its value to 0.

I actually think the Suppress ARP messages setting will do it as well. If memory serves I didn't add a manual tunable.

bardelot

@Jason:

I actually think the Suppress ARP messages setting will do it as well. If memory serves I didn't add a manual tunable.

Yes it sets the same tunable and also net.link.ether.inet.log_arp_wrong_iface="0" .

tojoski

This is happening on my Home Server as well.. I have 2 Gigabit Ethernet ports that are teamed to a single connection.

Feb 5 12:33:22

kernel: arp: 10.1.1.5 moved from 00:e0:81:ba:57:c4 to 00:e0:81:ba:57:c5 on em0

Feb 5 12:33:22

kernel: arp: 10.1.1.5 moved from 00:e0:81:ba:57:c5 to 00:e0:81:ba:57:c4 on em0

Will this create an issue? It seems to be working ok

cmb

@tojoski:

This is happening on my Home Server as well.. I have 2 Gigabit Ethernet ports that are teamed to a single connection.

Feb 5 12:33:22

kernel: arp: 10.1.1.5 moved from 00:e0:81:ba:57:c4 to 00:e0:81:ba:57:c5 on em0

Feb 5 12:33:22

kernel: arp: 10.1.1.5 moved from 00:e0:81:ba:57:c5 to 00:e0:81:ba:57:c4 on em0

Will this create an issue? It seems to be working ok

That's a different scenario, that's what you see when using certain types of NIC bonding. It's fine.

joako

@Jason:

@joako:

If we disable the sleep proxy "feature" on all the MACs will the errors go away?

No. The issue is with the TC and AE, not the Macs, and you can't disable that feature on them.

@bardelot:

If you just want those messages not to appear in the log add the system tunable "net.link.ether.inet.log_arp_movements" and set its value to 0.

I actually think the Suppress ARP messages setting will do it as well. If memory serves I didn't add a manual tunable.

I don't have any Time Capsule or Airport Express. Only Apple TV, 2x MacBook that are here sometimes and probably a few PCs with iTunes installed, if that matters.

But I still get the errors in the pfSense log.

cmb

@joako:

I don't have any Time Capsule or Airport Express. Only Apple TV, 2x MacBook that are here sometimes and probably a few PCs with iTunes installed, if that matters.

But I still get the errors in the pfSense log.

You don't need either of those, anything with the sleep proxy does it.

xbipin

isnt this arp moved thing related to using wifi repeaters?

cmb

@xbipin:

isnt this arp moved thing related to using wifi repeaters?

Most often, no. It can be. Some of them will translate the source MAC, which if someone roams from one wifi repeater to another will generate this kind of log.

xbipin

if so then wouldnt it cause issues with internet drops when a static dhcp lease is set with static arp for a client wifi mac id

cmb

@xbipin:

if so then wouldnt it cause issues with internet drops when a static dhcp lease is set with static arp for a client wifi mac id

It shouldn't. The DHCP requests should be relayed so the DHCP server still gets the client's actual MAC. Otherwise only one client behind the repeater would work on DHCP.

xbipin

well i have a problem with the same, i have bridged lan to wifi on pfsense and static mac id/ip pairs set with static arp and deny unknown client ticked, i use a tp link TL-WA850RE wifi range entender and wifi clients get the proper ip but with staic arp wifi clients r not able to surf at all untill i untick that, any solution to this