One of the most annoying problems in IP networks is duplicate IP addresses. The funny thing is that if you are familiar with the problem, what causes it, and how to find it, it becomes one of the most simple ones to solve.
When you suspect a duplicate address in the network, the first thing to do will be to use the simple CLI commands—ARP and Ping. If you don't locate the problem, connect Wireshark to the switch and in a large network to every VLAN in the network and move step-by-step until you find the problem.
We start with the phenomena, such as slow access to a server or to another device, slow access to the Internet, and all the pings that you don't get replies to.
- When you get slow access to a network device, one of the problems that might arise is that the IP address of this device collides with another address. To verify this, ping the IP address.
Tip
In some devices, when their address collides with an identical address, the driver will simply be turned off (the little symbol at the bottom-left corner of the screen in the Windows operating system). In other devices, you will not get any notification for a conflict, and this is the place where problems will arise.
- Type arp –a in the Command Line Interface (CLI). Use the command
cmdin Windows (or any shell in Linux). If you get two lines for the IP address you've pinged with different MAC addresses, this is a duplicate. - Google the MAC addresses of the two devices, and the first part of the address will tell you who the vendor is. This will lead you to the trouble maker.
- If you need the location of the device, log in to your LAN switch (when you have a managed switch, of course), and from the switch MAC address table, you will see the switch port that you are connected to.
- If you don't get anything with Ping and ARP, simply start Wireshark and port mirror the network VLANs. Wireshark will show you a duplicate address error with the relevant details.
- The error message that you will get will be as shown in the following screenshot:
When you ping an IP address that appears twice on your local network, the two devices (or more) that have the same IP address will answer to the ARP request that you sent, and your ARP cache will have two entries for the same IP address.
In many cases, your device will indicate it by closing its IP driver and notify you by a pop-up window or any other type of notification that you will be aware of.
In other cases, the colliding devices will not notify the conflict, and then you will find a problem only with Ping and ARP, as described before.
In any case, when you connect Wireshark to the network and see duplicate IP messages, don't ignore it.
Duplicate IP usually happens when there are two identical addresses in the network, but it becomes even more interesting when you have three identical addresses.
You can see a funny example for this in the upcoming screenshot:
In this customer network, they've internal network of around 150 devices with connectivity to the Internet through a firewall. The problem was a very slow connection to the Internet.
When they did a ping to a server on the Internet (any server), they got the following responses:
Reply from 173.194.35.148: bytes=32 time=98ms TTL=51 Request timed out. Reply from 173.194.35.148: bytes=32 time=124ms TTL=51 Request timed out. Reply from 173.194.35.148: bytes=32 time=134ms TTL=51 Request timed out. Reply from 173.194.35.148: bytes=32 time=582ms TTL=51 Request timed out.
The customer made some changes to the network, the network became even slower, and pinging the same server on the Internet got them the following response:
Reply from 173.194.35.148: bytes=32 time=98ms TTL=51 Request timed out. Request timed out. Reply from 173.194.35.148: bytes=32 time=124ms TTL=51 Request timed out. Request timed out. Reply from 173.194.35.148: bytes=32 time=134ms TTL=51 Request timed out Request timed out….
When I came into the picture, the first thing I did was to ping the server on the Internet and type ARP –a to see what I got. And what I saw was the IP address 10.10.10.200 with three different MAC addresses. Of course, it was a three-time duplicate address, and digging into the problem showed me what actually happened there, as illustrated in the following figure:
What happened was that the network default gateway to the Internet was not actually the firewall, but a web-filtering device that was located between the network and the firewall with the address 10.10.10.200, while the network between it and the firewall was 172.16.1.2/30.
What actually happened is explained as follows:
- In the first place, they configured the DHCP server on the network to exclude addresses 10.10.10.201-254, so the FW address was not excluded.
- Then they connected a new LAN switch to the stack. The LAN switch was configured by default to receive the IP address by DHCP, so it received the address 10.10.10.200 and that was the first duplicate.
- And the funniest thing was that the customer suspected a problem of connecting to the Internet, so they disconnected the web-filter server. The stupid problem was that they disconnected the external interface of the web-filter server and connected the internal interface to the switch while changing its address to the address of the firewall that was still connected to the network.
- What they got is presented in the following illustration, that is, triple 10.10.10.200 addresses.
The conclusion from this case and from many other cases I've experienced is that one of the most important conclusions, is: Always have an updated drawing of your network!!!