2

I've been having IP issues with my local box for a couple months now. Usually when it starts acting up I don't have the patience to look into it, so I just drop onto DHCP, but this morning I've finally decided to figure out what's going on.

I'm on a network that has 192.2.40.1 as the gateway, and is a 255.255.254.0 subnet (so IP Range is 192.2.40.1-192.2.41.254). My static IP address is 192.2.40.17. We have a Watchguard Fireware XTM Firewall/Router that sits on 192.2.40.1 . Also, our DHCP range is 192.2.41.200-192.2.41.254

The issue is that I occasionally lose my network connection, and when I try to reconnect I get errors regarding an IP Address conflict. We're pretty strict about documenting IP addresses here, so I found it quite odd that someone else would be using my IP address. I did a couple network scans, checked my DNS and DHCP logs, and found nothing using 192.2.40.17 (aside from my computer).

Grasping at straws, I ran "arp -a" to check if that could give me any information. Oddly enough, this is what I saw (note: I am on DHCP right now):

C:\Users\jwegner>arp -a

Interface: 192.2.41.107 --- 0xa
  Internet Address      Physical Address      Type
  192.2.40.1            00-90-7f-42-3f-30     dynamic
  192.2.40.17           00-90-7f-42-3f-30     dynamic
  //Truncated, because the rest is not important

Interesting - it would appear that my local computer is viewing 192.2.40.1 and 192.2.40.17 as the same device. I checked that MAC Address, and it is indeed the MAC Address for our firewall/router. I cleared my arp cache, thinking that something just got turned around somewhere. I then pinged 192.2.40.17 to recache the arp, and arp -a output the same thing.

There is nothing in my Firewall/Router that would make it take over the 192.2.40.17 address. Also, if I ping 192.2.40.17 I get nothing, so I must be getting some sort of false positive here. Any ideas on what might be causing this?

jwegner
  • 493
  • 5
  • 10
  • Have you tried packet sniffing to determine whether your PC's NIC is receiving incorrect ARP packets or whether it is your NIC (or I'm guessing more likely either your NIC's driver or Windows) misbehaving? – Robin Gill Jan 23 '12 at 14:37
  • 3
    You're on `Level 3 Communications, Inc.` network? Because if you're not, you're not allowed to use their IP addresses `192.2.0.0-192.2.255.255`. What OS are you using? – Chris S Jan 23 '12 at 14:47
  • @RobinGill It would appear it is not just my local NIC. I have tested it on multiple computers, and they all show the weird ARP listing. Also, sniffing ARP traffic doesn't show anything unusual. – jwegner Jan 23 '12 at 15:43
  • @ChrisS I'm aware of the IP Address issue. It was setup a looooong time ago by an uninformed IT guy. It's on the todo list. I've experienced the issue both on Win7 and Ubuntu 11.04 (dual boot) – jwegner Jan 23 '12 at 15:44
  • Have you checked that the MAC on your Workstation's NIC and the MAC on the router are in fact different? – Chris S Jan 23 '12 at 15:55
  • @ChrisS Yes. First thing I checked actually. – jwegner Jan 23 '12 at 17:08
  • @jwegner When you sniff ARP traffic, do you see an ARP for 192.2.40.17 from the router? Or do you not see such an ARP? (The answer to that question splits the problem space in half.) – David Schwartz Jan 23 '12 at 18:25

3 Answers3

1

If this is a private net, you should change to a non-routable IP range. 10.0.0.x or 192.168.1.x, to reduce confusion both for you and links from the outside.

Seems like it assigned itself an address? Check the DHCP messages for the assignment after resetting everything. Might help diagnose what's going on.

gmoney
  • 121
  • 2
  • The interesting thing is that the firewall actually *does not* have that address - it only has 192.2.40.1. We've looked through our DHCP logs and see nothing regarding 192.2.40.17. – jwegner Jan 23 '12 at 15:45
0

First you should change to Private network. After that the correct way to troubleshoot this would be to setup a packet capture and find out where the ARP packets are coming from. Better to run it on command line and let it run in the background:

dumpcap -f "arp" -w "C:\temp\arp.pcap" 

I suspect it is some incorrect configuration on the router (probably trying to do Proxy ARP in a wrong way!)

Benny
  • 181
  • 1
  • 7
0

I had the same issue on a VM - IP address conflict, coming from the Mac address of the firewall it was connected to. I ended up adding a new NIC and removing the old one, which solved the issue.

KERR
  • 365
  • 3
  • 8