Palo Alto Networks MAC Address is the Source of a Detected Duplicate IP

Palo Alto Networks MAC Address is the Source of a Detected Duplicate IP

32493
Created On 09/26/18 13:50 PM - Last Modified 06/07/23 18:04 PM


Symptom


Issue

  • DHCP clients report that a duplicate IP address is detected on the network.
  • If a different device on the same subnet tries to ping that IP address, given out by the DHCP server, they may or may not get a response.
  • Performing an ARP, should show the MAC address of the device answering the ARP request. If this MAC address corresponds to the Palo Alto Networks firewall, then the firewall is the source of the issue.

Cause


This condition is fairly common when NAT is configured incorrectly.  Make sure the subnet mask for the translated address is correct. A 24-bit mask will cause the Palo Alto Networks firewall to PROXY ARP for all IP addresses in that range.

There has also been an incident where the migration tool converted a Cisco ASA NAT rule into a problem.

  • Source address = x.x.x.x/24
  • Source translated = x.x.x.x/24

Every device connecting to x.x.x.0 would immediately report a "Duplicate MAC address detected" error.

Resolution


Performing the following command from a DOS prompt on the machine will show the MAC address of the Palo Alto Networks firewall interface responding to the ARP:

> arp -s

 

owner: skrall
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsjCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language