Controller Based WLANs

Why do I see IP Spoof messages in Security logs when there is no actual impact?

Environment : Any customer environment with Apple iOS / OSX devices.

 

Below is an example of security logs with IP Spoof messages.

(TAC-LAB) #show log all | include spoof
Dec 12 09:41:37  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=08:70:45:04:b0:db Sender-IP=192.168.1.13 Sender-MAC=08:70:45:04:b0:db IP spoof with exsting MAC=84:b1:53:a5:a5:19, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:40  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.6 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=4c:b1:99:04:de:38, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.
Dec 12 09:41:44  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=192.168.1.7 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=5c:0a:5b:e7:c0:ee, Drop It.


If the device has already connected to the network, Apple OSX & iOS devices tend to ARP for gateway IP with the IP it used on last instance. It's possible that IP address has been leased to someone else now. Thus, the ARP requests triggers spoof messages.

Below is an example ::

Dec 12 09:43:18  authmgr[1989]: <522250> <INFO> |authmgr|  ARP-packet: MAC=c8:6f:1d:8e:69:12 Sender-IP=10.131.112.9 Sender-MAC=c8:6f:1d:8e:69:12 IP spoof with exsting MAC=2c:54:cf:e4:a5:d1, Drop It.

By taking packet-capture on Controller, we notice the ARP request sent by client is with IP in use by another user.

User-added image

Therefore, controller would print the IP spoof log messages. However, no connectivity impact would be triggered under this scenario.

Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 04:04 AM
Updated by:
 
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.