2

I have a problem with one of our solaris servers, an arp table entry is changing every so often for one of the other servers (WINSERVER) on the network.

It will start out with the correct MAC address for WINSERVER (10.10.10.1) but it is being replaced by other mac addresses which belong to servers 10.10.10.15 and 10.10.10.29.

The only way to get the correct mac address is to delete the arp entry for WINSERVER and it will discover the correct mac address again for a limited time.

All servers are on the same network so no routers are involved.

What could be causing this?

5 Answers5

4

Have you sniffed for arp traffic to see what's being sent out, and from where? That would be my first step. Maybe it's screwing up because the other machines are sending advertisements.

Whatever you find there would lead to your next step. If you have evidence that the other machines are sending ads, login and check the network config with a fine tooth comb. Virus scans all around. Look for more strange traffic from them.

If there are no advertisements, but it still changes the arp table...well, come back and let us know, because I've got no idea.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
  • 1
    Mark of a good sysadmin: Fires up a packet sniffer *first* when diagnosing weird network behavior. Why guess when you can just look? – Insyte Aug 13 '09 at 10:37
1

There is also the possibility of a bad switch port altering the packets. Try a different switch, or at least swap the switch ports around. Even if its an unmanaged switch, it still inspects packets for MAC addresses.

Justin Dearing
  • 1,017
  • 10
  • 33
0

May be there is a virus/malware on your winserver? Why not do a windows update and run a complete virus scan? You never know what you will discover..

LOhit
  • 96
  • 1
0

You should probably check the configuration of the servers whose ARP entries are showing up where they should not - there's a small possibility that they are misconfigured in some very strange way and doing this themselves.

Next up, get a network sniffer on your Solaris server, and record all ARP traffic until the problem occurs. That should tell you where the incorrect ARP data is coming from. Then you can go fix that machine.

If you can't sniff, then I'd suggest testing as follows: Disconnect everything except the Solaris bix and the WINSERVER from the switch. Wait and see if the problem occurs. If it does not, try connecting other equipment (one piece of gear only at a given time) until you find something that seems to cause the problem.

Your best bet is a sniffer, though.

Michael Kohne
  • 2,284
  • 1
  • 16
  • 29
0

What sort of Nics are on the win server ??? There has been issues with broadcom nic and Solaris 10 8/07 (a.k.a. Update 4). The issue is that it causes Arp poisioning