Two IPs coming from same dedicated interface?

[cpals]

We have a laptop that when it plugs into our network it's getting a ip conflict error. So instead of just blocking that IP from being taken, I'm trying to find the root cause and use my newly-learned cisco skills. 🙂

What I've found out:

Switch connected to 6509 (this looks fine):

IDF1-HQ#sh mac-address-table add 00a0.d12e.df39
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
4 00a0.d12e.df39 DYNAMIC Fa3/0/40
Total Mac Addresses for this criterion: 1

This is what I get on our 6509 for the arp table (something's wrong):

6509_HQ#sh ip arp 0004.23bc.6f22
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.24.1.26 2 0004.23bc.6f22 ARPA Vlan4
Internet 172.24.1.15 0 0004.23bc.6f22 ARPA Vlan4

And here's the mac table:

6509_HQ#sh mac-address-table add 0004.23bc.6f22
Legend: * - primary entry

vlan mac address type learn ports
------+----------------+--------+-----+--------------------------
Supervisor:
* 4 0004.23bc.6f22 dynamic Yes Gi8/5

Port 8/5 is strictly for a Server 2003 computer that is plugged directly in. The network adapter does not have two IPs configured in it... I can't figure out what would be causing this.

Any clues?

Thanks!

 

[Crusty]

Is it actively sending traffic with both IPs or is that just an older ARP entry that hasn't timed out yet?

 

[bsobel]

I dont think I understand the problem. You have a nic with two ip's on it, makes sense there are two arp entries for it.... Sounds like the second address might accidently be part of your dhcp scope.

 

[cpals]

Originally posted by: bsobel
I dont think I understand the problem. You have a nic with two ip's on it, makes sense there are two arp entries for it.... Sounds like the second address might accidently be part of your dhcp scope.

No, the NIC does not have two IPs setup on it. If I sniff the traffic on the server, I see traffic coming into the server destined for 172.24.1.15, but no traffic coming out from 172.24.1.15 (the bad ip).

I can ping 172.24.1.15 from the server itself, but I cannot from outside the server.

I could easily fix it by blocking that IP from the dhcp scope, but I'm trying to find out what would be causing the problem so as to learn.

 

[cpals]

Originally posted by: Crusty
Is it actively sending traffic with both IPs or is that just an older ARP entry that hasn't timed out yet?

The ARP is fresh... I do clear arp-cache and a minute later it shows up.

 

[bsobel]

Originally posted by: cpals

Originally posted by: bsobel
I dont think I understand the problem. You have a nic with two ip's on it, makes sense there are two arp entries for it.... Sounds like the second address might accidently be part of your dhcp scope.

No, the NIC does not have two IPs setup on it. If I sniff the traffic on the server, I see traffic coming into the server destined for 172.24.1.15, but no traffic coming out from 172.24.1.15 (the bad ip).

I can ping 172.24.1.15 from the server itself, but I cannot from outside the server.

I could easily fix it by blocking that IP from the dhcp scope, but I'm trying to find out what would be causing the problem so as to learn.

Im sorry, I read that backwards obviously. If you do a net route print, what do you get? (can you post that here?)

 

[spidey07]

Well clearly the server DOES have two addresses on it if it is responding to the arp request from the router. What's the arp table on the server say?

The only other thing would be duplicate MAC addresses which would cause all sorts of problems with the server in question.

 

[cpals]

route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 04 23 bc 6f 23 ...... Intel(R) PRO/1000 MT Dual Port Network Connection #2
0x10004 ...00 04 23 bc 6f 22 ...... Intel(R) PRO/1000 MT Dual Port Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.24.1.1 172.24.1.26 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.24.1.0 255.255.255.0 172.24.1.26 172.24.1.26 10
172.24.1.26 255.255.255.255 127.0.0.1 127.0.0.1 10
172.24.255.255 255.255.255.255 172.24.1.26 172.24.1.26 10
224.0.0.0 240.0.0.0 172.24.1.26 172.24.1.26 10
255.255.255.255 255.255.255.255 172.24.1.26 172.24.1.26 1
255.255.255.255 255.255.255.255 172.24.1.26 10003 1
Default Gateway: 172.24.1.1
===========================================================================
Persistent Routes:
None

ping 172.24.1.15

Pinging 172.24.1.15 with 32 bytes of data:



Reply from 172.24.1.15: bytes=32 time<1ms TTL=128

Reply from 172.24.1.15: bytes=32 time<1ms TTL=128

Reply from 172.24.1.15: bytes=32 time<1ms TTL=128

Reply from 172.24.1.15: bytes=32 time<1ms TTL=128



Ping statistics for 172.24.1.15:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

arp -a 172.24.1.15

Interface: 172.24.1.26 --- 0x10004
Internet Address Physical Address Type
172.24.1.15 00-a0-d1-2e-df-39 dynamic

 

[cpals]

ipconfig /all

Ethernet adapter Local Area Connection 2:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection #2

Physical Address. . . . . . . . . : 00-04-23-BC-6F-23



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection

Physical Address. . . . . . . . . : 00-04-23-BC-6F-22

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.24.1.26

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 172.24.1.1

 

[bsobel]

What IP do you have assigned to the loopback adapter?

 

[spidey07]

ok - something is seriously screwed up. This reminds me of proxy arp problem where you have something performing proxy-arp that you don't know about. There is a disagreement between layer2 and layer3 with the 172.24.1.15 address. Server thinks one thing, router thinks another.

 

[bsobel]

Originally posted by: spidey07
ok - something is seriously screwed up. This reminds me of proxy arp problem where you have something performing proxy-arp that you don't know about. There is a disagreement between layer2 and layer3 with the 172.24.1.15 address. Server things one thing, router things another.

My money is on that loopback adapter...

 

[cpals]

Originally posted by: bsobel
What IP do you have assigned to the loopback adapter?

I don't see a loopback adapter setup..

I'm going to try and change to the secondary NIC and see if the IP moves to that MAC also.

If that doesn't work, I'll just block it through DHCP... was hoping to figure it out though! 😀

Thanks to both of you.

 

[spidey07]

I'd get to the heart of it. You should NOT have this kind of disagreement. I'd sniff the traffic on the server and clear arp tables on router and server, then filter to nothing but arp and see what you see and from where.

 

[bsobel]

Originally posted by: cpals

Originally posted by: bsobel
What IP do you have assigned to the loopback adapter?

I don't see a loopback adapter setup..

I'm going to try and change to the secondary NIC and see if the IP moves to that MAC also.

If that doesn't work, I'll just block it through DHCP... was hoping to figure it out though! 😀

Thanks to both of you.

Your routing table shows the loopback adapter is your first interface....

0x1 ........................... MS TCP Loopback interface
0x10003 ...00 04 23 bc 6f 23 ...... Intel(R) PRO/1000 MT Dual Port Network Connection #2
0x10004 ...00 04 23 bc 6f 22 ...... Intel(R) PRO/1000 MT Dual Port Network Connection

 

[cpals]

The loopback (should be 127.0.0.1) is in the route table, but that's the only place I see it. It is not listed in ipconfig /all.

Something weird that happened when I tried plugging into the second NIC was that the 1.15 address started pinging from the outside (this is good since that means it was pinging the laptop that was getting the duplicate ip error), but the server NIC wouldn't initialize... it kept sitting there at the initializing screen when it looks like it's going to establish the connection. This was with the 1.26 IP statically set, which was weird.

Maybe something in the TCP stack is messed up in Windows?

 

[cpals]

Oh, I didn't mention it, but I had to go back to the first NIC as I couldn't wait to see how long it took to negotiate and have it down that long.

 

[bsobel]

Originally posted by: cpals
The loopback (should be 127.0.0.1) is in the route table, but that's the only place I see it. It is not listed in ipconfig /all.

Something weird that happened when I tried plugging into the second NIC was that the 1.15 address started pinging from the outside (this is good since that means it was pinging the laptop that was getting the duplicate ip error), but the server NIC wouldn't initialize... it kept sitting there at the initializing screen when it looks like it's going to establish the connection. This was with the 1.26 IP statically set, which was weird.

Maybe something in the TCP stack is messed up in Windows?

The loopback adapter has nothing to do with the loopback address. See the interface list you posted, you have the MS loopback adapter installed on that machine.... Thats a virtual NIC which is probably configured causing these issues.

 

[cpals]

Okay, I might have an even stranger twist on things... I've figured out that the server is actually pinging the laptop successfully, not itself. Once I pulled the plug on the laptop, the server couldn't ping that IP.

So from what I see currently:

1. Server with issues, if it does a arp -a shows the correct MAC address (laptop's) in it's table, which is how it pings successfully.
2. Other computers on the same vlan if they do a arp -a, for some reason show the servers mac address. The L3 device also shows the server's mac address associated with that IP.

 

[cpals]

It's working now... I changed NICs and also installed the latest drivers (it was running the default 2004 drivers). So far so good.

Thanks for the help!