IP address conflict at resort even though everything is set to DHCP

I have a resort with 16 access point going to the firewall and all of sudden anyone who tries to connect gets an ip address conflict and it bring down the network.  I tried statically assigning IP address to access point then dynamically with no change.  The IP scope is outside the range of anything that is statically assigned.  I am assuming its a guests device that is causing the issue but how do I troubleshoot and even more importantly how do I resolve the issue since anyone staying here can access the wifi???
excell-tecAsked:
Who is Participating?
 
excell-tecConnect With a Mentor Author Commented:
There camera system was conflicting and was not made aware it existed until now.
0
 
MrC63Commented:
A single IP conflict shouldn't bring down the entire network, it should only cause a conflict between the two devices (and some confusion on the switch potentially) -- unless the IP conflict is with the actual firewall itself.

I would suggest you start by running a discovery of all devices.  There are a number of applications that can do this for you, some are free and some have a nominal cost (under $100).  I won't make any specific recommendations, each have their own pros and cons.

Your access points should likely have static IP address, and you should ensure your DHCP scope excludes any and all internal devices that have statically assigned IP's.  However, rather than physically assigning a static IP, I prefer to do this with a DHCP reservation based on the device's MAC address.  The benefit is that you can actually refer to a list of all devices by viewing the reservations table, rather than recording static addresses in a separate document or spreadsheet.

Because you are a resort, it would probably be a bit difficult to pinpoint exactly where in the resort the conflict is coming from.  At this point, you may have to disconnect all A/P's from the switch, then plug them in one by one until the conflict occurs again.  This should tell you exactly which A/P the device is connecting to.  Unfortunately, with WiFi, it might be a bit labour intensive.

MrC
0
 
excell-tecAuthor Commented:
I actually did disconnect them all and I did figure out which one it is, but that doesn't tell me how to resolve it. As soon as I connect it every computer on the network gets an IP address conflict error.  There's got to be a reason and resolution because all resorts have wifi like this and I can't imagine that devices just come in and crash it.  All the things you mentioned are how you suggested to set it up.  I know it is very cut and dry but it literally kills the whole network which luckily I now have separated from the office PC's so they are no longer being affected.  Any other suggestions?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
MrC63Commented:
There's a somewhat crude way of  of doing it.  Leave that specific A/P disconnected, and wait for calls from your guests.  Have them power off the device, bring it to your front desk, and then power it on.  If it crashes the network, you'll at least know which device is doing it.  In the meantime, none of your other guests will be impacted.  And of course, you will have to apologize to the guests who are in range of that particular A/P when it's disconnected.
0
 
excell-tecAuthor Commented:
I'll run that by the manager.  It has been going on for a couple weeks so I have a feeling its been multiple devices and since they are time shares it may not be very good to upset them.  I'll let you know what happens.
0
 
MrC63Commented:
Do you know what region of the resort this specific A/P covers?

You could be proactive and contact them in advance, letting them know that one or more specific devices are causing network problems for the entire resort.  Most people will understand that you're doing trouble shooting and cooperate without too much complaining.
0
 
excell-tecAuthor Commented:
Yes I do
0
 
PCableGuyCommented:
That is a weird problem to have as all the computers get the IP address conflict.

Can you try a different A/P, perhaps the A/P itself has gone rogue.

Did you try putting the rogue A/P on a different switch or firewall port?

Are you the WiFi provider to the resort? If not, perhaps your WiFi vendor might have some suggestions.

What hands out the IP addresses, a central Host computer or something else?
0
 
excell-tecAuthor Commented:
I installed the wifi last summer. I am there IT consultant.  It only recently started happening but I guess it might be possible that its the access point.  I'll try a different one.
0
 
MrC63Commented:
I would think that it's better to have 90% of your guests operational, and 10% off-line, than it is to have 100% of them off-line, and that's how I would describe it to the owners of the hotels we service.  Would it be hard to contact the various guests that are serviced by this A/P to give them a heads up that their Internet connection is going to be down until you can isolate the device that's causing the problem?

Depending on your switch and whether or not it has VLAN capacity, you could also isolate each A/P to its own VLAN.  This would separate every A/P to its own network.  However, then you have to get into the scenario of routing between VLAN's and the Firewall which is likely more complex than you need to get.
0
 
PCableGuyCommented:
Does the message tell you the conflicted IP address, can you post a screen shot?
0
 
excell-tecAuthor Commented:
Yes and in the logs it is the computers own IP.  I can't show you now, I will try to post a picture later.
0
 
PCableGuyCommented:
If you're lucky the other A/Ps will make up the coverage, some guests might suffer low signal though.

Ask the resort manager to keep any affected rooms vacant if possible to buy some additional troubleshooting time.
0
 
PCableGuyCommented:
Possible temporary  band-aid: You might be able to put a router between the A/P and firewall. Give the router the IP address of the A/P so it can communicate with the gateway. Change the A/P configuration to work with the router. Tell the router to hand out IP addresses in a specific range. That way you know it cannot create a DHCP conflict.
0
 
excell-tecAuthor Commented:
I have another access point I am implementing right now.
0
 
AdminMonkeyCommented:
Are you sure there is only one DHCP server listening and responding on your network?

How long has the issue been occuring by now? How long do guests stay at the resort? One or two weeks? If it was a guest, would they likely be gone now?
0
 
Craig BeckCommented:
What is your actual network setup?? What kit do you have (apart from clients)?
0
 
Sandeep GuptaConsultantCommented:
IP address conflict happens only when same subnet IPs are used somewhere else...

check following:

1. ensure dhcp pool subnet shud not be used else
2. Check the lease time  shud be idential everywhere, possibly it is causing ip conflict
3. ensure your firewall settings are not mishandled

get back
0
 
excell-tecAuthor Commented:
I think I found an access point that somehow reset to factory default making it the same ip ast the router. I have since put it back to connecting to just one firewall and taking the other router out of the equation because now devices either don't obtain an ip or they do and still cannot browse the web. I have a sonicwall firewall, cisco switch, and engeneus access points. Am I possibly entering the wrong dns servers in the access points? That's the only thing I can think of. My server 2008 does dns and the sonicwall does dhcp. What am I missing? I set these networks up a million times... UGH
0
 
MrC63Commented:
Why not let your 2008 Server handle both DHCP and DNS.
0
 
excell-tecAuthor Commented:
Because I couldn't get it to work through the sonicwall. If you can help me figure that out maybe it would resolve the issue.
0
 
MrC63Commented:
Let me see if I understand this.  Your server 2008 is on the outside of the firwall?
0
 
excell-tecAuthor Commented:
AN to switch which is what the server and everthing else on the network are connected to.
0
 
excell-tecAuthor Commented:
That didn't post correctly.
0
 
excell-tecAuthor Commented:
My internet connection goes into my firewall and out to a switch (LAN). Out from there it connects to my server, LAN, and access points.
0
 
MrC63Commented:
The DHCP services of Server 2008 will actually test to see if other DHCP services are running.  If DHCP services are running on the SonicWall, and if the server and Firewall are on the same network (based on the IP subnet), then the DHCP services will fail to start because of the presence of another DHCP server.

If you disable DHCP on the Sonicwall, you should have no problems configuring and running the DHCP server on the 2008 server.
0
 
excell-tecAuthor Commented:
So do you think that's going to fix my problem?
0
 
MrC63Commented:
No, but I have another course of action that can be taken once we get the services running from the proper device.

As I understand it, you've identified that there is an Access point and the Firwall that are the conflicting devices, is that correct?
0
 
excell-tecAuthor Commented:
They are not anymore. Just to double check, since the server will do DNS and have forwarders to the ISP's DNS the DNS I configure in the access points is only the servers IP correct?
0
 
MrC63Commented:
Yes, that is correct.  You could potentially list one of your ISP's DNS servers as the "backup" DNS server just in case your Windows server is ever offline.

On another note, and I know this is going to spark a bit of debate, I prefer to use the "root hints" option of MS DNS services rather than "forwarders".  Both are acceptable, however when using the root hints, you query the authoritative servers directly.  Although this adds a bit of time to the "round trip" of a DNS query (we're talking milliseconds), it also ensures that DNS updates are refreshed much more quickly.  Your DNS server will hold items in cache for (typically) an hour.  Who knows how long your ISP's DNS servers store their cache.  You could end up with significant delays when other websites change IP addresses.
0
 
MrC63Commented:
Are you saying that the A/P and the Firewall now have different  (static) IP addresses -- yet you continue to have problems when the A/P is attached to the network?
0
 
excell-tecAuthor Commented:
Yes, but the issue is no longer IP conflicts. Devices either don't obtain an IP and can't connect or even if they do connect and obtain an IP they can't get to a web page. Its fricken weird man. Its like there's a ghost in the system...
0
 
MrC63Commented:
Does this only occur with this particular A/P connected, or does it occur even when it is disconnected?
0
 
excell-tecAuthor Commented:
Its not with just that one connected. If I connect them one at a time the try connecting it usually works for a little bit and then after a few minutes its like everything dies...
0
 
excell-tecAuthor Commented:
I have all repeaters and bridges in other buildings turned off also. All I have are wired access points which is why it makes no snese why its not working.
0
 
MrC63Commented:
Ok, now I'm starting to form a hypothesis.

I'm beginning to think that your DHCP scope on the Sonicwall is not properly excluding various addresses that are either static, or absolutely required by your network.  At some point, you're running into additional overlap of IP addresses.

I would really like to see you get your DHCP services onto the 2008 server.  I can give you a lot more guidance about setting up the scope, reservations and static addresses from there -- and ultimately that's what your server should be doing, not the firewall.
0
 
excell-tecAuthor Commented:
Ok, I will be doing this all on Monday. My scope on the firewall is 10.16.0.150-10.16.0.254. All printers are 10.16.0.30-10.16.0.40. Acces points and repeaters are 10.16.0.11-10.16.0.29. Server is 10.16.0.22. Firewall is 10.16.0.1. Unless I'm missing something I don't see a problem and shouldn't need reservations. I am going to set it up on the server but use forwarders because that's what I am more used to and ill set it all up the same way.
0
 
MrC63Commented:
I assume you're referring to DNS when you talk about continuing to use forwarders  (I'm just trying to keep the specific issues separate)?  If my assumption is correct, I'm fine with that.  As I said, neither is absolutely right or wrong.  The root hints option simply allows the cache to be updated more accurately and efficiently, but both options work just fine.
0
 
MrC63Commented:
What kind of switch are you using, and is it a "managed" switch?  If it is, it probably has its own IP address.  

Here's a further hypothesis.  When we install one or more managed switches (that requires their own IP addresses) we usually put them at the opposite end of the network range from the firewall, i.e. if the firewall is xx.xx.xx.1, then we put the first switch at xx.xx.xx.254, the second switch at .253, etc.

I would guess your switch is a managed switch. I'm also guessing that it's been assigned a static address of .254.  This address now exists within your DHCP scope, and as soon as 100-odd devices attach to the network, you now have a conflict with your switch's IP address, which then brings the whole system down after a short period of time.

Does this seem like a possibility to you?
0
 
excell-tecAuthor Commented:
It is an unmanaged switch.
0
 
MrC63Commented:
I like what you've done in terms of identifying specific ranges for your various device styles (printers in one range, A/P's in another).  It seems a bit unusual however that your server would be assigned into a range where non-related devices exist.

Based on the "ranges" you've identified for specific devices, it appears that your server is located in the same range as the Access points.  Would it be difficult for you to reassign the server's static IP address to something like 10.16.0.5, and keep it completely isolated from the ranges you've assigned for other devices?
0
 
excell-tecAuthor Commented:
Actually I can't because that's the IP of the old one and the software they run is RDS application and has to stay that which is why I had no choice but to do it that way.
0
 
MrC63Commented:
The first reason I like DHCP reservations is because it allows me to quickly see, at a glance, all of the devices on the network.  Essentially, it's a quick and easy 'inventory' method.

Reservations also absolutely ensure that there is never an IP conflict, regardless of the IP address that is assigned to the reservation.  Even if I assigned a reservation to a device that would normally be part of the assignable DHCP scope, the reservation ensures that the IP address I've reserved for this device is never assigned to another device.
0
 
PCableGuyCommented:
Hmmm.....just wondering

Access points and repeaters are 10.16.0.11-10.16.0.29
Server is 10.16.0.22

So, the Access points and repeaters are skipping the .22 - right?
0
 
MrC63Commented:
If you can't assign it to .5, you should still be able to assign it to .6, or .7 -- or something that would get it out of the range you normally assign to other, dissimilar devices.
0
 
MrC63Commented:
@PCableguy, that's exactly what I was wondering which is why I suggested moving the server IP address away from that block of addresses.
0
 
excell-tecAuthor Commented:
It does skipp 22 and like I say there software vendor would not want me to change it.
0
 
excell-tecAuthor Commented:
I could change the IP's of the access points and just lessen the dhcp scope. Its a little overkill is size right now.
0
 
PCableGuyCommented:
Is there a lot of network traffic when it dies, or does it die to the point of no network traffic?

The reason I ask is I once saw a hotel network come to a grinding halt because one room/PC on the network was hogging all the bandwidth, but a visual inspection of the MDF closet switch ports showed one port with lights blinking very rapidly.
0
 
excell-tecAuthor Commented:
Its possible its on device because as soon as I power them up 50 things connect to it. I have no idea of determining what it is though...
0
 
PCableGuyCommented:
In our case we had the ability to limit the bandwidth per user, so we didn't need to find the culprit, we capped the bandwidth per user.
0
 
excell-tecAuthor Commented:
How do you that when there is nothing for them to log onto?
0
 
PCableGuyCommented:
We used Nomadix gateways to manage our networks. All the Internet traffic passed through it, it was also the DHCP server. In our case, the users would log onto a splash page that was on the Nomadix, the Nomadix would authenticate, then the user can access the Internet.

http://www.nomadix.com/pdfs/Products/Platforms/AG%202400%20Datasheet.pdf

Perhaps you can accomplish something similar with your Windows 2008 server.
0
 
excell-tecAuthor Commented:
Hopw much does it cost and does it use a lot of the servers resources?
0
 
PCableGuyCommented:
Sorry :-(, I was not the administrator, just the troubleshooter, cannot answer any cost or configuration questions.

Perhaps someone else is reading this and can offer some advice on Internet gateway and management options.

What's the model number of the Sonic firewall?
0
 
excell-tecAuthor Commented:
Ok, I installed a new switch, configured the server to do DHCP and DNS which is all working great.  The Sonicwall is  TZ100 and the wireless is working on there great also.  If I plug a cable into the switch I get an IP< DNS and everything is correct.  I reset one of the AP's to default and started over and plug it into the same switch and when I connect to it it doesn't give me an IP or anything.  Nothing makes sense. Nothing is conflicting...
0
 
PCableGuyCommented:
Is that bad AP remotely located? Sorry if I'm on the wrong track, but my advice assumes the AP is remotely located.

You might have a bad cable or connector. You can take a laptop to where the AP is located and use the same cable on your laptop to get a DHCP. You can also take the AP to the switch to see what happens there.

Are you using Power over Ethernet (POE) for the APs? If so, be careful don't plug the laptop onto the Ethernet cable while the POE is active. Plus the POE power supply can be bad too for that AP, assuming you are using one.
0
 
excell-tecAuthor Commented:
This issue is still not resolved.  Here is where I am at... I have about a dozen engenious enh210's connect to a designated port on a sonicwall TZ105 granting only internet access with the sonicwall as the dhcp server.  Sometimes they work properly, sometime they broadcast strong but devices cannot get on the internet.  Also, the Engenious repeaters I bought seem to not work properly as repeaters even though they are configured as repeaters... Do i just through all the engenius stuff away because sonicwall support says its all set up correctly...? I read that this brand was good but I will tell you I am thoruoghly unimpressed... Help if you can.
0
 
PCableGuyCommented:
Sorry to hear you still have issues.

Just wondering, what is the bandwidth of the WAN Connection?

Are there any other wireless APs in the area from other businesses besides you network? The reason I ask is that can cause issues.
0
 
excell-tecAuthor Commented:
50mb internet.  Yes there are other resorts whos signals are picked up here.
0
 
PCableGuyCommented:
You can test the WAN connection with a laptop at the MDF closet by doing a bandwidth test to make sure it's still 50MB. Use sites like http://www.speedtest.net/ to get a general idea. Test it at various points inside and outside of the your firewall.

General advice on wireless interference: http://searchnetworking.techtarget.com/answer/How-to-stop-channel-interference-on-80211x-wireless-access-points

I have never seen it, but wireless phones in guest rooms can cause issues, this is mentioned in the web page above.
0
 
excell-tecAuthor Commented:
I fixed it
0
All Courses

From novice to tech pro — start learning today.