DMZ - IP Address conflict!

I have seen similar problems a long time ago on Windows 95 machines. The NIC card had to be removed an re installed (electronically, not physically). If you change the IP address, and the conflict message comes up with the new IP address as well, it' s probably a Windows problem. Try to reinstall and connect again.

Bob - thanks for the suggestion. I did try with different addresses: DMZ - 192.168.56.1 PC - 192.168.56.10 Same result. I just discovered the packet sniffer in the Fortigate unit. I turned it on to sniff all packets on the DMZ port. Then I disabled and enabled the NIC on the PC. ---- sniffer output --- 342.536080 arp who-has 192.168.56.10 tell 192.168.56.10 342.536138 arp reply 192.168.56.10 is-at 0:9:f:b:90:3d ----- -------- This is the weird part - the MAC address listed (0:9:f:b:90:3d) is the DMZ port. Why does the DMZ port think that it has the .10 address???

Something is corrupt on that PC. Notice on your packet sniff that 192.168.56.10 is asking who-has 192.168.56.10? Why would a device ask for the MAC address of itself?

Good point, Fireshield. Thanks for your comments, gents. I am going to try with a different PC and see if the results differ...

- You' re 100% sure you didn' t mis-type one of the addresses? One can mix up .1 and .10 easily. - Another idea: do you have any proxy IDs or VIPs configured? - Do you have a DHCP server configured on the DMZ interface? BTW, what is the other network the FGT is connected to? - Ede

Just thought of a couple of other things;, Check you havent got an VIP " IP POOL" in use on the DMZ interface? Check you havent got a VIP using the DMZ interface (like an 0.0.0.0 entry) and you have rebooted the firewall since changing the ip, havent you? Run the command " get system arp" and print the results here as well. The first one in the list above would be the most possible problem.

Thanks for the suggestions! I double-checked the IP addresses to make sure it wasn' t just a typo causing all the problems. In fact, I replaced all the addresses with a new set and still had the conflict DHCP server is not active on the FG-60. No proxy IDs are configured. One VIP is configured for doing address translation from Internet to DMZ. The FG-60 is connected to the Internet via wan1 to a Cisco router. The corporate network is connected via internal port to an HP switch. The DMZ has only one machine connected to it - and it is directly connected to the DMZ port. I ran the command ' get system arp' . Here is the output: FGT-602904402748 # get system arp Address Age(min) Hardware Addr Interface 192.168.2.1 0 00:c0:9f:2a:fd:f2 internal 192.168.2.5 0 00:11:20:4c:bf:42 internal 192.168.2.6 1 00:12:d9:17:86:1e internal 192.168.2.49 0 00:19:30:dd:9c:c4 internal 192.168.2.55 0 00:0f:ea:78:de:70 internal 192.168.2.57 5 00:15:f2:4c:90:86 internal 192.168.2.88 0 00:80:5f:9f:68:6a internal 192.168.2.100 0 00:16:36:36:18:ff internal 192.168.2.101 0 00:c0:a8:8b:bb:77 internal 192.168.2.102 6 00:16:36:71:7a:2e internal 192.168.2.104 0 00:17:08:5e:e2:9d internal 192.168.2.105 2 00:16:cb:a3:7d:3c internal 192.168.2.107 0 00:17:08:5f:1e:b6 internal 192.168.2.109 0 00:0f:b0:86:be:c9 internal 192.168.2.111 0 00:11:d8:6a:b2:f6 internal 192.168.2.113 0 00:c0:9f:8b:27:a7 internal 192.168.2.115 0 00:0a:e4:a0:40:b0 internal 192.168.2.117 4 00:0e:a6:80:2a:48 internal 192.168.2.118 0 00:15:f2:45:34:85 internal 207.236.146.241 0 00:02:16:de:36:41 wan1 I notice that the DMZ doesn' t report its address! That' s not right, is it?

yes. thats correct, it doesnt show its internal interfaces.... try removing the vip, maybe thats the cause.

another thing to try is turning on dhcp and letting the pc get the dhcp address. (scope of 1 ip).

Okay - making little progress here....Windows is not complaining about duplicate IP addresses anymore. The network has two addresses: FG-60 DMZ: 192.168.100.1/255.255.255.0 PC: 192.168.100.10/255.255.255.0 I tried with different addresses, with and without VIPs. There are no IP Pools From the FG-60, I can ping in all directions (wan1, internal, dmz) but can' t ping from the PC on the dmz across to wan1, for instance. Sniffer on the DMZ port gives me this: 493.207062 192.168.100.10 -> 192.168.100.1: icmp: echo request 627.715148 arp who-has 192.168.100.1 tell 192.168.100.10 627.715200 arp reply 192.168.100.1 is-at 0:9:f:b:90:3d 627.715365 192.168.100.10 -> 192.168.100.1: icmp: echo request