Reset Search
 

 

Article

Syslog messages appeared with "MAC_MISMATCH_DETECTION: ARP pkt received with different eth source MAC and ARP sender MAC."

« Go Back

Information

 
TitleSyslog messages appeared with "MAC_MISMATCH_DETECTION: ARP pkt received with different eth source MAC and ARP sender MAC."
Symptoms
Syslog messages appeared with "MAC_MISMATCH_DETECTION: ARP pkt received with different eth source MAC and ARP sender MAC."
Environment
  • NetIron XMR, MLX, MLXe, CER, or CES
  • NI 5.9 or later
Cause
This message is in part the result of functionality added in NI 5.9 and recorded in NI 5.9 release notes under New Software Features as "Syslog notification is generated when source MAC and ARP sender MAC addresses are different in the received ARP response packets."

ARP packets have two source MAC addresses. One is the Layer2 802.3 Ethernet outer frame source MAC. The other is the sender MAC address inside the ARP packet. In most situations they are the same. Due to either functions in use, unintentional problems, or hostile actions they can differ.

Functions where frame source MAC and ARP sender MAC differ include proxy ARP and virtualization technologies such as Microsoft NLB multicast mode. In Microsoft NLB multicast mode for example, the ARP frame source MAC is the sending server's real MAC address while the ARP packet sender MAC is a virtual multicast MAC address.

Terms that point to hostile action involving ARP include ARP spoofing, ARP cache poisoning, and ARP cheating.
Resolution
The syslog messages "MAC_MISMATCH_DETECTION: ARP pkt received with different eth source MAC and ARP sender MAC." can be disabled with the setting "no logging enable mac-mismatch-detection." This is the recommended course of action when syslog messages are constant and the result of some intentional functionality such as virtualization technology.

If the messages are not constant or regular then they can be an indication of a problem with the ARP sender or of hostile action by the ARP sender. In this case the sender should be investigated to determine the cause of unusual ARP packets they sent. No action is necessary on the NetIron device generating the messages.
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255