A DHCP conflict is recorded when an MX Security Appliance detects two or more devices are using the same IP address. This will likely cause connectivity issues for the devices sharing this IP address. The MX reports IP address conflicts in the Event Log, and an e-mail alert can be configured to alert network administrators to the conflict.
IP address conflicts are recorded in the MX event log. Once logged into the Dashboard, browse to Network-wide > Monitor > Event log. The event log can be filtered to specific event types. We are interested in viewing only DHCP related events, so deselect all categories with the exception of DHCP.
If the MX is providing DHCP, normal DHCP leases will produce the following event logs:
Jul 1 07:00:00 iPhone DHCP lease duration: 86400, router: 192.168.10.1, server_ip: 192.168.10.1 more »
Expanding the more button will reveal information about the DHCP lease that was assigned:
vlan 0 vap 0 subnet 255.255.255.0 ip 192.168.1.251 dns 126.96.36.199 188.8.131.52 server_mac 00:28:0A:43:CA:7B
Note: A DHCP event that has a duration of 0 indicates that the device requested a DHCP option from the MX that is not configured in the DHCP settings.
After an IP address conflict is detected, a set of event logs will reflect the MAC addresses that are using the same IP addres
Jul 1 11:00:00 Test-Windows8 Client IP conflict MAC: 70:32:4B:DE:70:62 also claims IP: 192.168.1.225 Jul 1 11:00:00 FileServer01 Client IP conflict MAC: 9B:00:AA:5F:AD:9F also claims IP: 192.168.1.225
The Client IP conflict logs do not mean necessarily that the MX (or another DHCP server) assigned the same IP address to multiple devices. The MX is reporting that two different MAC addresses have been seen sending traffic with the same IP address. Most IP conflicts are related to two issues: a rogue DHCP server on network or when a static IP address is assigned to a device even though the IP address is a part of an active DHCP scope. If DHCP is enabled on the MX, you can check the event log to determine if it assigned the IP address listed in the conflict event. Active DHCP leases can also be seen from Monitor > Appliance status > Live tools > DHCP leases. If another server on the network is providing DHCP, the lease table can be viewed to determine active leases that the DHCP assigned to clients.
The next step is to isolate one of the devices and change its IP address. The event log on the MX provides the MAC address of the devices that have the conflicting IP address. The Monitor > Clients page can be used to search for the MAC address of the client. Please review this knowledge base article on searching for specific clients. Select the client and view the status information to determine the switch and port number where the client is connected:
Before changing the IP address of the client you should note the IP address of the DHCP server that assigned the DHCP lease:
Make sure that the IP address of the DHCP server corresponds to the address of the correct server. If the address is another device, there is likely a rogue DHCP server on the network. The IP address can be used to track down the switchport that the DHCP server is connected to. Please refer to the following knowledge base article that details finding a rogue DHCP server.
E-mail alerts can be setup to alert administrators of IP conflicts from Network-wide > Configure > Alerts & administration > Network alerts: