ARP Entry Change Messages - Same to/from for Back and Forth
-
We have a large network with a little over 500 users on multiple subnets and VLANs connected to 3 boxes running 1.2.3. The majority of these hosts have statically assigned IP addresses so we monitor ARP entry changes to ensure duplicates do not cause issues. I have been noticing recently that the syslog messages we get are a little strange - when two hosts are competing for the address the route generates ARP entry change messages stating what MAC it changed from and to. Lately the messages always have the same from and to MAC for a given IP. For example, I used to get messages that an IP changed from MAC A to MAC B, then it would change back from MAC B to MAC A. Now, all of the messages show and IP change from MAC A to MAC B, then again from MAC A to MAC B, and again and again. ???
2/5/2010 10:43 AM : Feb 5 10:43:55 kernel: arp: 10.61.32.11 moved from 2a:00:3e:93:fd:a2 to 2a:00:3e:23:53:10 on em1 2/5/2010 10:44 AM : Feb 5 10:43:55 kernel: arp: 10.61.32.11 moved from 2a:00:3e:93:fd:a2 to 2a:00:3e:23:53:10 on em1Now, these are both valid MAC's for hosts on our network, but why am I not seeing the change back and forth? I'm not 100% sure, but I think this started when we upgraded from to 1.2.3…. I think. :-\
Is anyone else seeing this kind of behavior?
Aaron
-
http://doc.pfsense.org/index.php/ARP_moved_log_messages
-
Thanks jimp, I'm fully aware of why we get the messages and what they mean - as mentioned, I have been using them for years to ensure duplicate addresses do not exist on our network. Thank you for the reading though.
My problem ended up being in my NMS that sent out the alerts based on these syslog messages - it would send the same message each time the arp entry changed, so it appeared to always be changing from A to B and never back.
Aaron
-
Not sure what might be going on there then.
Do both of those MAC addresses reside on the machine with that IP address? Perhaps a bridge involved somewhere? Or some kind of a shared IP (CARP, etc) between those two?
That MAC address doesn't appear to be from a valid vendor, so it's either spoofed or from something that spoofs a MAC for its own purposes (e.g. Virtualizing software)
-
Sorry for the confusion - we run a WiSP service for a large rural area using Motorola Canopy radios (not 802.11) - over 500 customers, many commercial gas production facilities, coal mines, etc. The radios have MAC's starting with 0a-00-3e… When NAT is turned on they change the first number to a 2 (2a-00-3e...).
Again, I got this sorted out. I know what the messages mean, and I use them regularly to monitor duplicate IP addresses being used, but there was an issue with our syslog server and the messages it was sending out to us (only sending the first message multiple times so it looked like same change was happening multiple times, instead and back forth between the hosts).
