Security

Hi. I'm new to this forum, and hoping someone here has thoughts about this issue I'm experiencing.  For the past few weeks, users connecting to our Aruba 215 Access Points have been unable to connect to the internet, only to our local network.  This is sporadic, happening most of the time, but not always.  I've determined that when a machine is unable to connect, it is receiving the incorrect MAC address for our gateway.  The last octet is off by a value of one (9a instead of 99).  Flushing the ARP cache on the offending PC usually resolves this temporarily, but it eventually happens again.  Sometimes I need to 'arp -d' several times before it works, sometimes it doesn't work at all, and sometimes the PC will eventually just reconnect on its own.  This does not affect any of our wired workstations, so I'm pretty convinced the APs are at fault here. Any idea what could be causing this?

is it possible there is some device in your network trying to hijack the default gateway by arp poisoning ? you could consider to setup a wireshark somewhere in the network with a filter set on ARP, set some circular buffers, wait for the issue to happen and see if some device has hijacked the def gw.  It shouldnt be the AP doing this - never say never I guess - but start with the most likely issue.

can you log into your core switch and check the arp / hw-mac-address tables and see if you can see a port that has this :9a mac address present on it?

Good call, thank you!  I checked the MAC address tables in our switches and determined that an unused physical port on our firewall was connected and responsible for this offending MAC address.  Disconnected that and everything seems to be back to normal.  Thanks!

good to know - thanks for coming back to update the thread