Hi,
i remarked IP Spoof entries in the syslog messages :
Feb 19 16:36:53 2014 WIFI-BE-DI-001 authmgr[1926]: <522027> <WARN> <WIFI-BE-DI-001 192.168.101.251> MAC=94:eb:cd:c0:52:86 IP=192.168.102.112 IP Spoof from MAC=4c:b1:99:3b:25:c9 role=authenticated/(null)
Tracing back in the logs :
Feb 19 16:18:46 2014 WIFI-BE-DI-001 <WIFI-BE-DI-001 192.168.101.251> dhcpd: DHCPREQUEST for 192.168.102.112 from 4c:b1:99:3b:25:c9 (TI0038W) via eth1
Feb 19 16:18:46 2014 WIFI-BE-DI-001 <WIFI-BE-DI-001 192.168.101.251> dhcpd: DHCPACK on 192.168.102.112 to 4c:b1:99:3b:25:c9 (TI0038W) via eth1
Here 4c:b1:99:3b:25:c9 asks to renew it's lease 192.168.102.112. Confirmed by the controller.
Feb 19 16:35:49 2014 WIFI-BE-DI-001 <WIFI-BE-DI-001 192.168.101.251> dhcpd: DHCPREQUEST for 192.168.102.112 (192.168.102.201) from 94:eb:cd:c0:52:86 via eth1: lease 192.168.102.112 unavailable.
Feb 19 16:35:49 2014 WIFI-BE-DI-001 <WIFI-BE-DI-001 192.168.101.251> dhcpd: DHCPNAK on 192.168.102.112 to 94:eb:cd:c0:52:86 via eth1
Feb 19 16:35:49 2014 WIFI-BE-DI-001 <WIFI-BE-DI-001 192.168.101.251> dhcpd: DHCPOFFER on 192.168.102.73 to 94:eb:cd:c0:52:86 (BLACKBERRY-A26A) via eth1
94:eb:cd:c0:52:86 asks to confirm its lease 192.168.102.112 (strange because the least ime is 3 hours and was already assgined to 4c:b1:99:3b:25:c9) Anyway, the Aruba controller responds correctly (DHCPNAK) and offers a new lease (192.168.102.73).
Few seconds later we get the IP Spoof message? So the client ignored the new DHCPOFFER?
This is not the only message we see. Happens with other clients too. We have a two controller setup (master/local) but only one dhcpd is active. Anyone an idea?
We use ArubaOS 6.3.1.2.