Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
1
Replies

DTL-1-ARP_POISON_DETECTED: what would cause this

garyleggat
Level 1
Level 1

‎02-25-2014 02:14 PM - edited ‎07-05-2021 12:16 AM

DTL-1-ARP_POISON_DETECTED: dtl_net.c:1390 STA(Target MAC Address) [c8:f7:33:9d:66:74, 0.0.0.0] ARP (op ARP REQUEST) received with invalid SPA(Source IP Address) 192.168.16.12/TPA(Destination IP Address) 192.168.16.254

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Scott Fella
Hall of Fame
Hall of Fame

‎02-25-2014 03:10 PM

Here is from the doc

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0MR1/message/guide/SysMsgGuide_7-0MR1/dtl_eap_7-0MR1_msgs9.html#wp1010140

Error Message %DTL-1-ARP_POISON_DETECTED: STA [[hex]:[hex]:[hex]:[hex]:[hex]:[hex],
[dec].[dec].[dec].[dec]] ARP (op [int]) received with invalid SPA
[int].[int].[int].[int]/TPA [int].[int].[int].[int]
Explanation The system might have detected ARP spoofing or poisoning. However, this message does not necessarily imply that any malicious ARP spoofing has occurred. The message appears when the following conditions are true:
?A WLAN is configured with DHCP Required, and a client device, after associating on that WLAN, transmits an ARP message without first completing DHCP. This may be normal behavior; it could happen, for example, when the client is statically addressed, or when the client is holding a valid DHCP lease from a prior association. The resulting message might look like this example:
DTL-1-ARP_POISON_DETECTED: STA [00:01:02:0e:54:c4, 0.0.0.0] ARP (op 1) received
with invalid SPA 192.168.1.152/TPA 192.168.0.206
The effect of this condition is that the client will be unable to send or receive any data traffic until it acquires a valid DHCP address through the WLC. Table 10-1 lists explanations for each segment of the example message above.
Table 10-1 Explanations for ARP_POISON Message Segments
Message Segment
Explanation
DTL-1-ARP_POISON_DETECTED

The controller received an ARP packet from a client in DHCP_REQ state.
STA [00:01:02:0e:54:c4, 0.0.0.0]

The client ("STA," an 802.11 wireless station) has a MAC address of 00:01:02:0e:54:c4 and an IP address unknown to the controller ("0.0.0.0").
ARP (op 1)

The offending packet received from the client was an ARP request (opcode 1).
invalid SPA 192.168.1.152/TPA 192.168.0.206

The source IP address (SPA: "sender protocol address") of the ARP request was 192.168.1.152. The target IP address (TPA, or "target protocol address") of the ARP request was 192.168.0.206.

Recommended Action When you see this message, take one or more of these steps:
?Decide whether you want to force your wireless clients to DHCP first, after associating, before they can send IP packets.
?If no, unconfigure the DHCP that is required for the WLAN and this error should not appear.
?If yes, configure all clients to use DHCP. If clients are configured for DHCP but sometimes send IP packets after associating without re-DHCPing, then see if the client eventually does re-DHCP and does not suffer an unacceptable outage before re-DHCPing. If the outage before re-DHCPing is acceptable, you can ignore this message. If the client never does re-DHCP after associating, then it will never be able to pass Layer 3 traffic. In that case, you need to change the client's behavior so that it always does re-DHCP after associating.
?If the source IP address (SPA) of the ARP is an APIPA address (such as one in 169.254.0.0 /16), the client might be attempting but failing to acquire an address using DHCP, and you should verify that your DHCP implementation works.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card