Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
create_share
New Contributor

IP Conflict between Fortigate and a Server (Strange Issue)

Hi,

One of my Windows virtual servers suddenly lost network connectivity and started showing "Duplicate after its ipv4 address". When I checked the ARP, it was showing the Fortigate LAN Interface Mac address. The Server IP Address is not added to any of the Fortigate Interfaces.

 

Any Suggestions?

 

Thanks.

1 Solution
rarumugam
Staff
Staff

Hi,

Ideally, When an IP address is assigned to a network interface, the operating system first checks for IP conflicts by sending an ARP probe, which is essentially an ARP request. If no conflicting responses are received, it assigns the IP address to the NIC and then announces it to the network using Gratuitous ARP (GARP).

If you find the FortiGate LAN interface's MAC address associated with the IP address in the server's ARP table, it means the FortiGate has responded to the ARP probe sent by the server during IP assignment. This suggests that the firewall owns the server's IP address and is responding to ARP requests.

I would recommend checking if the server's IP address is used in the firewall's configuration, particularly in settings like IP pools, proxy ARP, VIP (Virtual IP), etc. You can use the following command to verify this:

# sh | grep <server IP address>

If they are used in the config, then you could either remove the settings from the firewall or disable arp-reply under the settings (only if used on IP-Pool or VIP).
You could refer to the article in the below link to perform the same,
https://community.fortinet.com/t5/FortiGate/Technical-Tip-ARP-reply-setting-in-Virtual-IP-IP-Pool/ta...

Cheers,

Rambharathi Arumugam

View solution in original post

3 REPLIES 3
kcheng
Staff
Staff

Hi @create_share 

 

How is the FortiGate and the server obtained it's IP address? Did you somehow configured the respective with DHCP server? 

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
rarumugam
Staff
Staff

Hi,

Ideally, When an IP address is assigned to a network interface, the operating system first checks for IP conflicts by sending an ARP probe, which is essentially an ARP request. If no conflicting responses are received, it assigns the IP address to the NIC and then announces it to the network using Gratuitous ARP (GARP).

If you find the FortiGate LAN interface's MAC address associated with the IP address in the server's ARP table, it means the FortiGate has responded to the ARP probe sent by the server during IP assignment. This suggests that the firewall owns the server's IP address and is responding to ARP requests.

I would recommend checking if the server's IP address is used in the firewall's configuration, particularly in settings like IP pools, proxy ARP, VIP (Virtual IP), etc. You can use the following command to verify this:

# sh | grep <server IP address>

If they are used in the config, then you could either remove the settings from the firewall or disable arp-reply under the settings (only if used on IP-Pool or VIP).
You could refer to the article in the below link to perform the same,
https://community.fortinet.com/t5/FortiGate/Technical-Tip-ARP-reply-setting-in-Virtual-IP-IP-Pool/ta...

Cheers,

Rambharathi Arumugam
create_share

Yes, the Server IP Address is used under IP Pools for natting purposes, and after disabling ARP-Reply, it started working. The above command showed this:

 

set subnet 192.168.1.29 255.255.255.255
edit "192.168.1.29"
set startip 192.168.1.29
set endip 192.168.1.29

 

 

Top Kudoed Authors