One of the most annoying problems in IP networks is duplicate IP addresses. The funny thing is that if you are familiar with the problem, what causes it, and how to find it, it becomes one of the most simple ones to solve.
When you suspect a duplicate address in the network, the first thing to do will be to use the simple CLI commands—ARP and Ping. If you don't locate the problem, connect Wireshark to the switch and in a large network to every VLAN in the network and move step-by-step until you find the problem.
We start with the phenomena, such as slow access to a server or to another device, slow access to the Internet, and all the pings that you don't get replies to.
In some devices, when their address collides with an identical address, the driver will simply be turned off (the little symbol at the bottom-left corner of the screen in the Windows operating system). In other devices, you will not get any notification for a conflict, and this is the place where problems will arise.
cmd
in Windows (or any shell in Linux). If you get two lines for the IP address you've pinged with different MAC addresses, this is a duplicate.When you ping an IP address that appears twice on your local network, the two devices (or more) that have the same IP address will answer to the ARP request that you sent, and your ARP cache will have two entries for the same IP address.
In many cases, your device will indicate it by closing its IP driver and notify you by a pop-up window or any other type of notification that you will be aware of.
In other cases, the colliding devices will not notify the conflict, and then you will find a problem only with Ping and ARP, as described before.
In any case, when you connect Wireshark to the network and see duplicate IP messages, don't ignore it.
Duplicate IP usually happens when there are two identical addresses in the network, but it becomes even more interesting when you have three identical addresses.
You can see a funny example for this in the upcoming screenshot:
In this customer network, they've internal network of around 150 devices with connectivity to the Internet through a firewall. The problem was a very slow connection to the Internet.
When they did a ping to a server on the Internet (any server), they got the following responses:
Reply from 173.194.35.148: bytes=32 time=98ms TTL=51 Request timed out. Reply from 173.194.35.148: bytes=32 time=124ms TTL=51 Request timed out. Reply from 173.194.35.148: bytes=32 time=134ms TTL=51 Request timed out. Reply from 173.194.35.148: bytes=32 time=582ms TTL=51 Request timed out.
The customer made some changes to the network, the network became even slower, and pinging the same server on the Internet got them the following response:
Reply from 173.194.35.148: bytes=32 time=98ms TTL=51 Request timed out. Request timed out. Reply from 173.194.35.148: bytes=32 time=124ms TTL=51 Request timed out. Request timed out. Reply from 173.194.35.148: bytes=32 time=134ms TTL=51 Request timed out Request timed out….
When I came into the picture, the first thing I did was to ping the server on the Internet and type ARP –a
to see what I got. And what I saw was the IP address 10.10.10.200 with three different MAC addresses. Of course, it was a three-time duplicate address, and digging into the problem showed me what actually happened there, as illustrated in the following figure:
What happened was that the network default gateway to the Internet was not actually the firewall, but a web-filtering device that was located between the network and the firewall with the address 10.10.10.200, while the network between it and the firewall was 172.16.1.2/30.
What actually happened is explained as follows:
The conclusion from this case and from many other cases I've experienced is that one of the most important conclusions, is: Always have an updated drawing of your network!!!
3.144.111.49