Server 2003 Incrorrect Static ARP entrys

[lukeod]

Hi,

We've been having an issue latley on some of our servers where every now and then, a pc or laptop (dosnt seem to be model related) cannot ping the domain controller, but can ping any other address. The servers are windows 2003, which are automattically patched, and all the pc's / laptops are windows XP Pro SP2.

Here are circumstances in which the PC's laptops cannot ping the server, but can ping anything else:

-Leaving on DHCP

-Setting a static IP which is the same as the DHCP address

Here are circumstances where they can ping the domain controller and everything else:

-Setting a DHCP reservation different to the usual address

-Setting a static IP different to the usual address

Untill recently, the only fix to the issue that worked was resetting the domain controller, which obviously is far from optimal. We had tried resetting the machine in question, deleting the DNS, DHCP entries on the server and resetting the Netlogon, DHCP and DNS services on the Server. Also tried ipconfig /release + /renew, releasing and re-registering with DNS on the machine, and running repairs on the NIC.

Recently we found that the domain controller had a static ARP entry for the machine in question, and found that clearing the arp cache on the server fixed the issue (netsh interface ip delete arpcache)

Nobody manually adds static arp enteries on the server so i have no idea how they are getting there. Does anybody know why static arp entries are being added on the server, and if there is a better fix than remote desktoping to the servers and clearing the arp cache when the issue happens??

Thanks in advance

Luke O'D

[eyeball]

the only thing i can think of is do you have any apps that run on this server that could possibly do anything like that?

Edited August 8, 2007 by eyeball

[lukeod]

the only thing i can think of is do you have any apps that run on this server that could possibly do anything like that?

Not that i can think of, can anyone think of a method by which i can monitor what adds entries to arp? wireshark? some sort of file monitor utility?

Luke

[tain]

ARP poisoning?

Yes, Wireshark can help you track this down.

[lukeod]

I think i've tracked it down - 3 Coms PXE boot server on 2003 causes this issue, there are currently no fixes that i'm aware of and i'll have to either find a new one or schedule an arp cache every 10 - 30 mins.