Hi all,
I get some chaotic arpwatch flipflop.
Sometimes very few 4 a day some time huge amount 100 or 200 a day.
Each time I get them by 2 copies :
Or when server's MAC address is involved I've got :
and
I get only this on the External IP address
that raise some alert on my ISP router :
NIC 0c:c4:7a:33:07:8b and 0c:c4:7a:33:07:8a use the same IP address 10.0.0.142
But in this message this is the LAN IP that is involved
I've got 2 NIC :
enp4s0 External Static 10.0.0.137
enp3s0 LAN Static 10.0.0.142
The strange thing is that the mac adress in the arpwatch alert email could be anything :
<ul>
from the 2 server NIC MAC address
2 other equipement MAC Address
</ul>
In the exemple this is my ISP router MAC Address and my laptop and then my ISP router and my PC
I need my network to work with or without the ClearOS server on. I do not use firwall feature of the Clear OS.
Any idea of the reason for that ?
I get some chaotic arpwatch flipflop.
Sometimes very few 4 a day some time huge amount 100 or 200 a day.
Each time I get them by 2 copies :
hostname: <unknown>
ip address: 0.0.0.0
ethernet address: f0:82:61:86:25:5c
ethernet vendor: <unknown>
old ethernet address: 34:f3:9a:d6:74:5f
old ethernet vendor: <unknown>
timestamp: Tuesday, June 4, 2019 8:54:31 +0200
previous timestamp: Tuesday, June 4, 2019 8:54:00 +0200
delta: 31 seconds
Or when server's MAC address is involved I've got :
hostname: xxx.xxxxxxxxxxx.xxx
ip address: 10.0.0.137
ethernet address: 0c:c4:7a:33:07:8a
ethernet vendor: <unknown>
old ethernet address: 0c:c4:7a:33:07:8b
old ethernet vendor: <unknown>
timestamp: Tuesday, March 26, 2019 20:27:52 +0100
previous timestamp: Tuesday, March 26, 2019 20:27:51 +0100
delta: 1 second
and
hostname: xxx.xxxxxxxxxxx.xxx
ip address: 10.0.0.137
ethernet address: 0c:c4:7a:33:07:8b
ethernet vendor: <unknown>
old ethernet address: 0c:c4:7a:33:07:8a
old ethernet vendor: <unknown>
timestamp: Tuesday, March 26, 2019 20:27:27 +0100
previous timestamp: Tuesday, March 26, 2019 20:27:27 +0100
delta: 0 seconds
I get only this on the External IP address
that raise some alert on my ISP router :
NIC 0c:c4:7a:33:07:8b and 0c:c4:7a:33:07:8a use the same IP address 10.0.0.142
But in this message this is the LAN IP that is involved
I've got 2 NIC :
enp4s0 External Static 10.0.0.137
MAC Address 0c:c4:7a:33:07:8b
Vendor Intel Corporation
Device 82574L Gigabit Network Connection
Bus PCI
Link Yes
Speed 1000 Mb/s
Interface enp4s0
Role External
onnection Type Static
IP Address 10.0.0.137
Netmask 255.255.255.252
Gateway 10.0.0.138
DHCP disabled
enp3s0 LAN Static 10.0.0.142
MAC Address 0c:c4:7a:33:07:8a
Vendor Intel Corporation
Device 82574L Gigabit Network Connection
Bus PCI
Link Yes
Speed 1000 Mb/s
Interface enp3s0
Role LAN
Connection Type Static
IP Address 10.0.0.142
Netmask 255.255.255.0
DHCP ENABLED
The strange thing is that the mac adress in the arpwatch alert email could be anything :
<ul>
from the 2 server NIC MAC address
2 other equipement MAC Address
</ul>
In the exemple this is my ISP router MAC Address and my laptop and then my ISP router and my PC
I need my network to work with or without the ClearOS server on. I do not use firwall feature of the Clear OS.
Any idea of the reason for that ?
Share this post:
Responses (15)
-
Accepted Answer
Nick Howitt wrote:I suspect there is an error in the bonding and you need to force the MAC address of the bond. It seems to keep flipping between the two NIC MAC's...
I have many machines running with bonded NIC's, this is the only one giving this issue, i will investigate and report back.
many thanks -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
I don't know where the issue comes from. I know that some Network Manager controlled WiFi connections can randomise the MAC on connection but not repeatedly. It looks like two different adjacent MAC's are using the the same IP.
Its 2 NIC's bonded using netplan not NetworkManager.
I will disable the messages but I wanted to make sure that I dont have a underlying soon to be serious issue here -
Accepted Answer
I don't know where the issue comes from. I know that some Network Manager controlled WiFi connections can randomise the MAC on connection but not repeatedly. It looks like two different adjacent MAC's are using the the same IP.
To be honest I just follow my first reply and turn off the e-mails, but you can restart arpwatch more easily with:SERVICES=$(ls /etc/systemd/system/multi-user.target.wants/arpwatch*)
for SERVICE in $SERVICES; do
true
/bin/systemctl condrestart $(basename $SERVICE) > /dev/null 2>&1
done
-
Accepted Answer
I have a similar issue, my root mail gets 2-3k emails per day
From arpwatch@mydoamin.org Wed Jun 17 22:54:57 2020
Return-Path: <arpwatch@mydoamin.org>
Received: from mydoamin.org (localhost [127.0.0.1])
by mydoamin.org (8.14.7/8.14.7) with ESMTP id 05HLsvqI027797
for <root@mydoamin.org>; Wed, 17 Jun 2020 22:54:57 +0100
Received: (from arpwatch@localhost)
by mydoamin.org (8.14.7/8.14.7/Submit) id 05HLsvHi027796
for root; Wed, 17 Jun 2020 22:54:57 +0100
Date: Wed, 17 Jun 2020 22:54:57 +0100
Message-Id: <202006172154.05HLsvHi027796@mydoamin.org>
From: root@mydoamin.org (Arpwatch)
To: root@mydoamin.org
Subject: flip flop (srv.mydoamin.org)
hostname: srv.mydoamin.org
ip address: 192.168.50.2
ethernet address: a4:ba:db:2c:9f:66
ethernet vendor: Dell
old ethernet address: a4:ba:db:2c:9f:65
old ethernet vendor: Dell
timestamp: Wednesday, June 17, 2020 22:54:57 +0100
previous timestamp: Wednesday, June 17, 2020 22:54:55 +0100
delta: 2 seconds
on clearos the bond0.50 output of ifconfig
bond0.50: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.50.100 netmask 255.255.255.0 broadcast 192.168.50.255
ether 00:e0:ed:1e:9f:be txqueuelen 1000 (Ethernet)
RX packets 466379 bytes 119619487 (114.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 466925 bytes 2629846806 (2.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
and on the client;
5: bond0.50@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a4:ba:db:2c:9f:65 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.2/24 brd 192.168.50.255 scope global dynamic bond0.50
valid_lft 34655sec preferred_lft 34655sec
inet6 fe80::a6ba:dbff:fe2c:9f65/64 scope link
valid_lft forever preferred_lft forever
is this a client side or clearos issue?
thanks -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Is there a reason you can't just use one NIC and put ClearOS in standalone mode?
All service are not available from external IP. Some are exclusively accessible from LAN IP.
With one IP I can no longer do that.
If ClearOS goes down, how does your LAN continue to run without DNS/DHCP?
I need to connect to ISP router to enable DHCP that use router's DNS
I need Clear OS DNS in order to assign logical name to my LAN equipements (thing I can't do with ISP's router).
if you don't have a DHCP server, how will dynamically configured devices work when powered on and trying to obtain a DHCP lease.
DHCP server is done by Clear OS. When Clear OS is down, I need to activate ISP's router DHCP. -
Accepted Answer
This could be the cause of your flip/flop as you have a routing loop and the packets will appear on both interfaces. Is there a reason you can't just use one NIC and put ClearOS in standalone mode? If can still run DNS and DHCP. If ClearOS goes down, how does your LAN continue to run without DNS/DHCP? I can see that statically configured devices can keep going as long as they have an alternative DNS configuration which allows other DNS servers as well as or in place of ClearOS, but if you don't have a DHCP server, how will dynamically configured devices work when powered on and trying to obtain a DHCP lease. -
Accepted Answer
your WAN subnet is part of your LAN subnet?
Yes Overlap
External
IP Address 10.0.0.137
Netmask 255.255.255.252
Gateway 10.0.0.138
LAN
IP Address 10.0.0.142
Netmask 255.255.255.0
As my LAN should work with or without Clear OS I need to be able to access 10.0.0.138.
I need ClearOS DNS and DHCP as my ISP's router doesn't have all required features... -
Accepted Answer
-
Accepted Answer
[root@home ~]# ps aux | grep arpwatch | grep -v grep
arpwatch 9286 0.0 0.0 11880 3664 ? S Jun03 0:24 /usr/sbin/arpwatch -u arpwatch -N -e root -s root (Arpwatch) -i enp3s0 -f /var/lib/arpwatch/arp_enp3s0.dat
arpwatch 9296 0.0 0.0 11880 3660 ? S Jun03 0:22 /usr/sbin/arpwatch -u arpwatch -N -e root -s root (Arpwatch) -i enp4s0 -f /var/lib/arpwatch/arp_enp4s0.dat
.dat files contains such lines :
f0:82:61:86:25:5c 0.0.0.0 1559640996
d8:cb:8a:cb:1a:6f 0.0.0.0 1559631290
34:f3:9a:d6:74:5f 0.0.0.0 1559631240
00:26:73:b1:f6:86 0.0.0.0 1559578660
And
0c:c4:7a:33:07:8b 10.0.0.137 1559640995 home
0c:c4:7a:33:07:8a 10.0.0.137 1558460905 home
0c:c4:7a:33:07:8a 10.0.0.142 1559624903 home
0c:c4:7a:33:07:8b 10.0.0.142 1558688376 home
which might be the reason of the confusion for arpwatch...
Recieveing this arpwatch message is not an issue.
The reason I recieve it is what I'm looking for -
Accepted Answer
To be honest I don't particularly see the point of arpwatch. It is used by the Network Map app, but I have no idea beyond that. Out of curiosity, what is the result of:
It should only be watching the LAN interfaces.ps aux | grep arpwatch | grep -v grep
To stop the e-mail messages you can edit /etc/sysconfig/arpwatch and change:
to-e root -s 'root (Arpwatch)'
-e -
To restart arpwatch you need to do it for each interface you see from the "ps aux" command with something like:systemctl restart arpwatch@LAN_interface1
systemctl restart arpwatch@LAN_interface2
etc
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »