New Member
Posts: 11
Registered: ‎12-16-2017

Duplicate IP Address - What to look for in logs?

I have one user who continues to get duplicate IP notifications on his local computer. It's a Mac running high sierra.

 

We have a mixed environment but I'm slowly moving things over to Unifi. Right now a USG 4P is our gateway, with a cloud key gen1 being the controller, we have also have a UniFi Switch 48 POE-500W, and then some Apple Airports we're soon replacing, and smaller switches.

 

Here's the question: What would I be looking for in the logs, alerts, wherever, to see notification of if the router is actually generating a duplicate IP, or just being able to keep tabs on his device to the point were I can rule out that it's NOT the router?

 

Thanks!

 

unnamed.png

Ubiquiti Employee
Posts: 1,482
Registered: ‎02-28-2017
Kudos: 480
Solutions: 148

Re: Duplicate IP Address - What to look for in logs?

You'll most likely get a message in /var/log/messages in the USG. If you SSH to the USG and run "show log" (you can use the space bar to parse through it), you should see a relevant message, so long as the USG is also your DHCP server.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 11
Registered: ‎12-16-2017

Re: Duplicate IP Address - What to look for in logs?

It is, but what would it say? I have 13 pages ... do I search for their MAC address?

Ubiquiti Employee
Posts: 1,482
Registered: ‎02-28-2017
Kudos: 480
Solutions: 148

Re: Duplicate IP Address - What to look for in logs?

Just look on the last few pages and skim for a relevant looking message, I forget what the specific log looks like but it's most likely going to contain the IP address. So you can type: "sudo grep -i 192.168.9.142 /var/log/messages" to see if anything pops up as well.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 11
Registered: ‎12-16-2017

Re: Duplicate IP Address - What to look for in logs?

Got it, bummer sudo grep -i 192.168.9.142 /var/log/messages produced nothing.

 

The show log had less than an hours worth of information.

 

Does the /var log show more?

Ubiquiti Employee
Posts: 1,482
Registered: ‎02-28-2017
Kudos: 480
Solutions: 148

Re: Duplicate IP Address - What to look for in logs?

Try "sudo arp -na | grep 192.168.9.142" and see if a MAC address pops up that doesn't belong to that specific macbook.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 30
Registered: ‎09-02-2016
Kudos: 5
Solutions: 1

Re: Duplicate IP Address - What to look for in logs?

I would shutdown the Mac that reports the problem, wait a few minutes (5-10) and then look in the USG or switches ARP table.

Then you should be able to see the mac-address of the device with the same mac-address; you might need to ping the device before it shows up.

That might be easier than looking for somthing in the logs, that you don't know what looks like.

 

--

Ronni

Ronni
Somewhere in Denmark...
New Member
Posts: 11
Registered: ‎12-16-2017

Re: Duplicate IP Address - What to look for in logs?

It's not a duplicate MAC, it's a duplicate IP.

 

I'll try that other command when it happens again!

Member
Posts: 539
Registered: ‎09-23-2018
Kudos: 59
Solutions: 28

Re: Duplicate IP Address - What to look for in logs?

If you're running a controller where your USG is the DHCP server, you could look in your clients list to see what has that IP

New Member
Posts: 30
Registered: ‎09-02-2016
Kudos: 5
Solutions: 1

Re: Duplicate IP Address - What to look for in logs?

I know, but I see that I wrote mac-address and not IP-address (I will edit it afterwards).

 

If you want to find the client who uses the same IP-address you need to identify it's mac-address, since that's the only unique identifier of a client.

 

Removing the client (Mac) that reports the duplicate IP-address helps identify the other clients mac-address using the ARP table; the ARP table properly needs to time out before the new entry is added/updated, this usually takes around 5-10 minutes.

 

You can also try to configure the Mac with a  different static IP-address and then ping the IP-address that's the problem, and then look at the Mac clients ARP table using (# arp -a).

 

--

Ronni

Ronni
Somewhere in Denmark...
New Member
Posts: 11
Registered: ‎12-16-2017

Re: Duplicate IP Address - What to look for in logs?

The thing is the issue goes away immediatley, two IPs don't show on the router, only on his computer, which is why I'm trying to track down exactly what his computer is doing on the router.

 

I'm going to run this after next occurence 

sudo arp -na | grep 192.168.9.142

 

New Member
Posts: 11
Registered: ‎12-16-2017

Re: Duplicate IP Address - What to look for in logs?

So he reported it happened again yesterday, 45 minutes after starting working and working on his computer.

 

The ip this time was 192.168.9.174

 

Running the command produced an error? 

 

sysadmin@USG4P:~$ sudo arp -na | grep 192.168.9.174

? (192.168.9.174) at <incomplete> on eth0

New Member
Posts: 30
Registered: ‎09-02-2016
Kudos: 5
Solutions: 1

Re: Duplicate IP Address - What to look for in logs?

Hi,

 

You get the <incomplete> error because the two computers haven't communicated, so your computer doesn't know the mac-address of the other host. It might not be able to get this, since a ping to the same IP-address is already on the computers own interface.

 

When this happens:

1. Note the IP-address that is conflicting.

2. Change the IP-address on the computer to a static not-used IP-addesss.

3. Ping the conflicting IP-address.

4. Do the arp -na command again.

 

Then you should be able to get the mac-address.

 

Another approach is if you have a computer on the same IP-segment, then do first a ping on the conflicting IP-address and then the arp -na command.

 

Ronni
Somewhere in Denmark...
New Member
Posts: 11
Registered: ‎12-16-2017

Re: Duplicate IP Address - What to look for in logs?

Unfortunately, by the time I attempt to troubleshoot which is within 30 minutes to an hour, his computer has already grabbed a new IP.

 

There is NOTHING at the IP that is being reported as a duplicate on the network, so there's nothing to ping.

 

From 192.168.9.1 icmp_seq=18 Destination Host Unreachable

 

So, by the time I try troubleshooting, the IP being reported as a duplicate isn't even being used by the router, at least it wasn't this morning.

 

-r

New Member
Posts: 30
Registered: ‎09-02-2016
Kudos: 5
Solutions: 1

Re: Duplicate IP Address - What to look for in logs?

If you're it's not possible to troubleshoot when the problem occurs, then your best option is to look in your DHCP-server log; I guess that is the USG?

 

I don't have one myself, but I think you should look in the files:

/var/log/messages

or

/var/log/user/dhcpd

Search for the IP-address and look for the mac-addresses.

 

You might want to look at this thread:

https://community.ubnt.com/t5/EdgeRouter/DHCP-Lease-Log/td-p/496671

Specifically syslog level, which might needs to changed before any problems is visible in the logs.

Set it to debug.

 

This article might also help about the logs:

https://help.ubnt.com/hc/en-us/articles/204959834-UniFi-How-to-View-Log-Files

 

--

Ronni

 

Ronni
Somewhere in Denmark...