Received conflicting ARP on interface ethernetX/X indicating duplicate IP Y.Y.Y.Y

• Receiving conflicting ARP log messages on an interface on the firewall.
  • Eg, Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 172.16.0.58, sender mac 00:50:56:9b:71:fe

• Next Generation Firewall
• PAN-OS 9.1 and above
• Topology:

1. Cause: Assigning the same IP on both devices

2. Cause: Assigning the same IP as a SNAT (Source NAT) address facing the internet

3. Cause: Assigning the same IP as a DNAT (Destination NAT) address facing the internet

4. Cause: Assigning a SNAT (Source NAT) pool, where the concerned IP is part of the pool

1. Create a packet filter based on the interface where the duplicate IP address is seen, from Monitor > Packet Capture > Configure Filtering > Manage Filters

2. Configure the appropriate stages and their corresponding file name:

3. Generate the ARP request by using the ping tool:

ping source 172.16.0.201 host 172.16.0.58

4. Download and merge R.pcap and T.pcap together and use wireshark filter 'arp' :

5. Interpreting packet capture:

1. Frame 9, Firewall sends out an ARP request broadcast on who is the owner of IP: 172.16.0.58.
2. Frame 10, Router informed Firewall that 172.16.0.58 has the MAC address of 00:58:56:9b:71:fe (which is his own MAC).
3. Frame 11, Firewall overwritten the ARP reply from Frame 10, which shouldn't be, this is the part where the firewall will generate the log for duplicate IP.