Detection of IP Address Conflicts

From R81, the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Operating System detects IPv4 address conflicts - if a different device on a directly connected network uses an IPv4 address that belongs to one of the Gaia interfaces.

Example: Gaia interface eth1 has the IPv4 address 10.1.1.1, and some other device on the network connected to eth1 uses the same IPv4 address 10.1.1.1. The device causes an IP address conflict.

Best Practice - Enable this feature only for interfaces connected to your internal networks. If you enable this feature for all interfaces, or for interfaces connected to external networks, this feature generates too many log messages in the /var/log/messages file.

Important - The detection of IP address conflicts:

Configuration in Gaia Clish

Important:

Syntax

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Parameters

Log Messages

After you enable and configure this feature, it generates one of these messages in the /var/log/messages file:

Log Message

Description

new station

Gaia detected a new MAC address on a directly connected network and a new IP address is assigned to that MAC address.

changed ethernet address

Gaia detected that an IP address stored in the binding database is assigned to a new MAC address on a directly connected network.

flip flop

The second recent binding of a MAC address to an IP address is currently the most recent binding in the binding database.

This potentially indicates an IP address conflict on the network.

reused old ethernet address

The third (or older) recent binding of a MAC address to an IP address is currently the most recent binding in the binding database.

This very likely indicates a 3-way (or greater) IP address conflict.

To see the applicable log messages:

Step

Instructions

1

Connect to the command line.

2

Log in to the Expert mode.

3

Run:

grep "arpwatch:" /var/log/messages*

Example:

[Expert@MyGaia:0]# grep "arpwatch:" /var/log/messages*
Aug  3 19:23:16 2020 MyGaia arpwatch: listening on eth0
Aug  3 19:23:16 2020 MyGaia arpwatch: new station 192.168.3.51 00:50:56:a3:73:26
Aug  3 19:23:17 2020 MyGaia arpwatch: new station 192.168.3.29 00:50:56:a3:68:60
... ... (truncated for brevity) ... ...
[Expert@MyGaia:0]#

Additional Information

  • The detection of IP address conflicts is based on the Linux arpwatch tool.

  • When you enable this feature, Gaia runs the /bin/arpwatch_launcher daemon. This daemon is responsible to run the /etc/rc.d/init.d/arpwatch service.

  • Gaia saves the applicable configuration in the Gaia database and in the /etc/sysconfig/arpwatch file.

    Gaia generates the /etc/sysconfig/arpwatch file automatically.

  • Gaia saves the MAC-to-IP address binding information in the /var/lib/arpwatch/arp.dat.<Name of Interface> file.

    The information includes:

    • The detected MAC address

    • The IP address assigned to that MAC address

    • The time of detection (in Unix epoch format)

    It can take several minutes for Gaia to populate this database.