Recently I have been running into issues where incorrect MAC Addresses are populating the arp tables of some Windows VMs running in a Cloud Provider's cloud. For example, if I ping 10.1.2.3, some Windows VMs show a different MAC Address from the majority of other VMs. The result is that these few Windows VMs cannot reach 10.1.2.3 but the rest of the VMs (both Windows and Linux) can reach it.
After running Packet Captures, the source of the incorrect MAC Addresses seem to be MS-NLB-PhysServer-XX_, which is included in wireshark's published list. I am not running any sort of MS-NLB though, and so it is very confusing as to what that source is. My Cloud Provider says that it is not coming from them. My questions are:
- Is there a good way to identify the source device based on its MAC Address if I do not own that device? ie- I am wondering if it is coming from our cloud provider's load balancers.
- What are reasons this source device would have incorrect MAC Addresses that it is sending to other devices? ie- why does it have the wrong MAC address for 10.1.2.3 and other newly created Network Interfaces?
- What are reasons only a subset of the VMs get the bad MAC addresses from this source and other VMs in the same subnet get good MAC addresses from other sources?