Tracing a MAC address to IP address: Solaris

notreallyhere · August 16, 2010, 8:17am

Hi there

I lost connectivity to one of our remote systems and when I checked the messages log I found the following:

 Aug 10 23:42:34 host xntpd[296]: [ID 774427 daemon.notice] time reset (step) 1.681729 s
Aug 16 13:20:51 host ip: [ID 876157 kern.warning] WARNING: node "mac address" is using our IP address x.x.x.x on aggr1
Aug 16 13:20:51 host last message repeated 1 time
Aug 16 13:21:51 host snmpXdmid: [ID 181857 daemon.error] Error receiving PDU Decode the header of message failed: data lengths that long are not supported.
Aug 16 13:21:51 host snmpXdmid: [ID 352064 daemon.error] Error receiving packet from agent; rc = -1.
Aug 16 13:21:51 host snmpXdmid: [ID 669004 daemon.error] Will attempt to re-establish connection.
Aug 16 13:22:17 host ip: [ID 876157 kern.warning] WARNING: node "mac address" is using our IP address x.x.x.x on aggr1
Aug 16 13:22:17 host last message repeated 2 times
Aug 16 13:22:17 host ip: [ID 567813 kern.warning] WARNING: aggr1 has duplicate address x.x.x.x (claimed by "mac address"); disabled

So the messages indicate a MAC address, but is there a way I can trace that MAC address to an IP address so that I can solve where this issue could have started? I am of course assuming that someone tried to configure a duplicate IP on another system and that caused a connectivity issue.

Neo · August 16, 2010, 8:27am

Yes, you use arp command to trace MAC to IP addresses.

notreallyhere · August 16, 2010, 8:49am

How would I use that?

zaxxon · August 16, 2010, 8:55am

Type in

arp -a

for example to list all entries in the arp cache of your host (name, ip-address, mac-address).
You can also check the man page of arp to see what other switch might suit your needs best.

notreallyhere · August 16, 2010, 9:17am

Thanks. I've tried the arp -a before but didn't see an arp entry for that mac address.

zaxxon · August 16, 2010, 9:22am

Did you try that on the host that was actually tried to be connected by that offending IP-address?
Or maybe your LAN network guys can check on their arp-caches if the MAC shows up somewhere on their switches/routers.

notreallyhere · August 16, 2010, 9:26am

I tried it on the system which I lost connectivity to (i.e. the one I could not ssh to). I will be in contact with the Network guys soon.

methyl · August 16, 2010, 2:24pm

I think that the offending node name is actually called "mac address" .
A combination of "ping <ip address>" then "arp -a" should find the MAC address if it is on the same segment. This would help the network support.
I really needs your network support to find the physical connection.

Corona688 · August 16, 2010, 4:06pm

You can also install the 'arping' tool to send and monitor arp requests on command. The -d flag tells it to hunt for multiple macs on one IP if present.

notreallyhere · August 17, 2010, 8:10am

Thanks guys. The network team is on it.