Kernel: Arp moved from - to



  • Hi

    I have quite a lot of these messages in the logfile

    kernel: arp: 10.0.10.19 moved from 58:55:ca:39:e3:19 to 00:24:36:a3:28:2f on lagg0_vlan110
    kernel: arp: 10.0.10.19 moved from 00:24:36:a3:28:2f to 58:55:ca:39:e3:19 on lagg0_vlan110

    lagg0 is configured with LCAP.

    Is this something to worry about or just normal?



  • how frequent is that ?

    if this happens multiple times per minute with the same ip-address then you might have a static ip configured inside your dhcp pool



  • It maybe happens every 15-20 minutes… depends a little bit.
    I don't think that I have configured any static ip adresses inside the dhcp pool but I will have a look.



  • I have the same issue with no static inside the dhcp pool.



  • I know that 58:55:ca:39:e3:19 is my appleTV. Not sure what device the other MAC is… Is there a way to find out?



  • @z3r0x:

    kernel: arp: 10.0.10.19 moved from 58:55:ca:39:e3:19 to 00:24:36:a3:28:2f on lagg0_vlan110
    kernel: arp: 10.0.10.19 moved from 00:24:36:a3:28:2f to 58:55:ca:39:e3:19 on lagg0_vlan110

    You probably have two devices with the same IP address. This can happen in a variety of ways including:
    1. a device has been configured with a static IP  address that is inside the dynamic IP address range of the DHCP server.
    2. You have two (or more) DHCP servers on the same network and they have overlapping address pools
    3. you have two devices configured with the same IP address.
    4. you have a device with two interfaces (perhaps wired and wireless) and the same IP address configured on each interface (possibly DHCP configured) and the device is switching between interfaces.



  • Not in my case…

    arp: 10.30.2.99 moved from b0:b2:dc:ed:59:XX to 00:00:00:00:00:00 on re1
    arp: 10.30.2.99 moved from 00:00:00:00:00:00 to b0:b2:dc:ed:59:XX on re1



  • @wallabybob:

    You probably have two devices with the same IP address. This can happen in a variety of ways including:
    1. a device has been configured with a static IP  address that is inside the dynamic IP address range of the DHCP server.
    2. You have two (or more) DHCP servers on the same network and they have overlapping address pools
    3. you have two devices configured with the same IP address.
    4. you have a device with two interfaces (perhaps wired and wireless) and the same IP address configured on each interface (possibly DHCP configured) and the device is switching between interfaces.

    Hi. Apple TV is using DHCP. There is only 1 DHCP running and no one is using the same ip. But what I have seen when sniffing with Wireshark was something with IPv6. I have added a txt file. Maybe this tells you more? I don't remember doing anything with ipv6.

    dump.txt



  • @serialdie: i'm guessing you have a hardware failure (broken networkcard/cabling/…) mac address 00:00:00:00:00:00 is invalid

    @z3r0x: both mac addresses you mention are from apple hardware. the logs indicate both devices (or 1 device using multiple interfaces) compete for the same address.
    ipv6 does not have ARP, so it can not be involved - ipv6 has NDP (similar purpose, not the same)
    http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol



  • @z3r0x:

    Hi

    I have quite a lot of these messages in the logfile

    kernel: arp: 10.0.10.19 moved from 58:55:ca:39:e3:19 to 00:24:36:a3:28:2f on lagg0_vlan110
    kernel: arp: 10.0.10.19 moved from 00:24:36:a3:28:2f to 58:55:ca:39:e3:19 on lagg0_vlan110

    lagg0 is configured with LCAP.

    Is this something to worry about or just normal?

    Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.



  • @Jason:

    Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

    Wow, really? Why's that? Odd that effectively the symptoms of an IP conflict would be normal, but I recall seeing that once on my home network also between two Apple vendor MACs. Don't have a time capsule or AirPort Extreme, have 2 Apple TVs, a couple iPhones, couple iPads, couple MacBook Pros, and an iMac. At the time I didn't even have time to check which MAC went to which device, and it hasn't recurred so I haven't bothered digging into it.



  • @cmb:

    @Jason:

    Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

    Wow, really? Why's that? Odd that effectively the symptoms of an IP conflict would be normal, but I recall seeing that once on my home network also between two Apple vendor MACs. Don't have a time capsule or AirPort Extreme, have 2 Apple TVs, a couple iPhones, couple iPads, couple MacBook Pros, and an iMac. At the time I didn't even have time to check which MAC went to which device, and it hasn't recurred so I haven't bothered digging into it.

    It's a "feature" and part of the Bonjour Sleep Proxy.

    http://support.apple.com/kb/HT3774

    Also:

    https://discussions.apple.com/thread/2160614
    http://blog.martinshouse.com/2009/11/apple-time-capsule-steals-ip-addresses.html?m=1
    http://en.usenet.digipedia.org/thread/16243/200/



  • @Jason:

    @cmb:

    @Jason:

    Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

    Wow, really? Why's that? Odd that effectively the symptoms of an IP conflict would be normal, but I recall seeing that once on my home network also between two Apple vendor MACs. Don't have a time capsule or AirPort Extreme, have 2 Apple TVs, a couple iPhones, couple iPads, couple MacBook Pros, and an iMac. At the time I didn't even have time to check which MAC went to which device, and it hasn't recurred so I haven't bothered digging into it.

    It's a "feature" and part of the Bonjour Sleep Proxy.

    http://support.apple.com/kb/HT3774

    Also:

    https://discussions.apple.com/thread/2160614
    http://blog.martinshouse.com/2009/11/apple-time-capsule-steals-ip-addresses.html?m=1
    http://en.usenet.digipedia.org/thread/16243/200/

    Ha! That makes sense.
    I have bonjour enable on my nas and thats the IP of the nas.

    Thanks.



  • @Jason:

    @cmb:

    @Jason:

    Do you have a Time Capsule or AirPort Extreme to go with the AppleTV?  If so, that is, unfortunately, normal.

    Wow, really? Why's that? Odd that effectively the symptoms of an IP conflict would be normal, but I recall seeing that once on my home network also between two Apple vendor MACs. Don't have a time capsule or AirPort Extreme, have 2 Apple TVs, a couple iPhones, couple iPads, couple MacBook Pros, and an iMac. At the time I didn't even have time to check which MAC went to which device, and it hasn't recurred so I haven't bothered digging into it.

    It's a "feature" and part of the Bonjour Sleep Proxy.

    http://support.apple.com/kb/HT3774

    Also:

    https://discussions.apple.com/thread/2160614
    http://blog.martinshouse.com/2009/11/apple-time-capsule-steals-ip-addresses.html?m=1
    http://en.usenet.digipedia.org/thread/16243/200/

    If we disable the sleep proxy "feature" on all the MACs will the errors go away?



  • If you just want those messages not to appear in the log add the system tunable "net.link.ether.inet.log_arp_movements" and set its value to 0.



  • @joako:

    If we disable the sleep proxy "feature" on all the MACs will the errors go away?

    No. The issue is with the TC and AE, not the Macs, and you can't disable that feature on them.

    @bardelot:

    If you just want those messages not to appear in the log add the system tunable "net.link.ether.inet.log_arp_movements" and set its value to 0.

    I actually think the Suppress ARP messages setting will do it as well. If memory serves I didn't add a manual tunable.



  • @Jason:

    I actually think the Suppress ARP messages setting will do it as well. If memory serves I didn't add a manual tunable.

    Yes it sets the same tunable and also net.link.ether.inet.log_arp_wrong_iface="0" .



  • This is happening on my Home Server as well.. I have 2 Gigabit Ethernet ports that are teamed to a single connection.

    Feb 5 12:33:22

    kernel: arp: 10.1.1.5 moved from 00:e0:81:ba:57:c4 to 00:e0:81:ba:57:c5 on em0

    Feb 5 12:33:22

    kernel: arp: 10.1.1.5 moved from 00:e0:81:ba:57:c5 to 00:e0:81:ba:57:c4 on em0

    Will this create an issue? It seems to be working ok



  • @tojoski:

    This is happening on my Home Server as well.. I have 2 Gigabit Ethernet ports that are teamed to a single connection.

    Feb 5 12:33:22

    kernel: arp: 10.1.1.5 moved from 00:e0:81:ba:57:c4 to 00:e0:81:ba:57:c5 on em0

    Feb 5 12:33:22

    kernel: arp: 10.1.1.5 moved from 00:e0:81:ba:57:c5 to 00:e0:81:ba:57:c4 on em0

    Will this create an issue? It seems to be working ok

    That's a different scenario, that's what you see when using certain types of NIC bonding. It's fine.



  • @Jason:

    @joako:

    If we disable the sleep proxy "feature" on all the MACs will the errors go away?

    No. The issue is with the TC and AE, not the Macs, and you can't disable that feature on them.

    @bardelot:

    If you just want those messages not to appear in the log add the system tunable "net.link.ether.inet.log_arp_movements" and set its value to 0.

    I actually think the Suppress ARP messages setting will do it as well. If memory serves I didn't add a manual tunable.

    I don't have any Time Capsule or Airport Express. Only Apple TV, 2x MacBook that are here sometimes and probably a few PCs with iTunes installed, if that matters.

    But I still get the errors in the pfSense log.



  • @joako:

    I don't have any Time Capsule or Airport Express. Only Apple TV, 2x MacBook that are here sometimes and probably a few PCs with iTunes installed, if that matters.

    But I still get the errors in the pfSense log.

    You don't need either of those, anything with the sleep proxy does it.



  • isnt this arp moved thing related to using wifi repeaters?



  • @xbipin:

    isnt this arp moved thing related to using wifi repeaters?

    Most often, no. It can be. Some of them will translate the source MAC, which if someone roams from one wifi repeater to another will generate this kind of log.



  • if so then wouldnt it cause issues with internet drops when a static dhcp lease is set with static arp for a client wifi mac id



  • @xbipin:

    if so then wouldnt it cause issues with internet drops when a static dhcp lease is set with static arp for a client wifi mac id

    It shouldn't. The DHCP requests should be relayed so the DHCP server still gets the client's actual MAC. Otherwise only one client behind the repeater would work on DHCP.



  • well i have a problem with the same, i have bridged lan to wifi on pfsense and static mac id/ip pairs set with static arp and deny unknown client ticked, i use a tp link TL-WA850RE wifi range entender and wifi clients get the proper ip but with staic arp wifi clients r not able to surf at all untill i untick that, any solution to this


Log in to reply