Solved

IP address conflict at resort even though everything is set to DHCP

Posted on 2013-06-12
62
339 Views
Last Modified: 2013-10-12
I have a resort with 16 access point going to the firewall and all of sudden anyone who tries to connect gets an ip address conflict and it bring down the network.  I tried statically assigning IP address to access point then dynamically with no change.  The IP scope is outside the range of anything that is statically assigned.  I am assuming its a guests device that is causing the issue but how do I troubleshoot and even more importantly how do I resolve the issue since anyone staying here can access the wifi???
0
Comment
Question by:excell-tec
  • 29
  • 18
  • 12
  • +3
62 Comments
 
LVL 4

Expert Comment

by:MrC63
ID: 39243310
A single IP conflict shouldn't bring down the entire network, it should only cause a conflict between the two devices (and some confusion on the switch potentially) -- unless the IP conflict is with the actual firewall itself.

I would suggest you start by running a discovery of all devices.  There are a number of applications that can do this for you, some are free and some have a nominal cost (under $100).  I won't make any specific recommendations, each have their own pros and cons.

Your access points should likely have static IP address, and you should ensure your DHCP scope excludes any and all internal devices that have statically assigned IP's.  However, rather than physically assigning a static IP, I prefer to do this with a DHCP reservation based on the device's MAC address.  The benefit is that you can actually refer to a list of all devices by viewing the reservations table, rather than recording static addresses in a separate document or spreadsheet.

Because you are a resort, it would probably be a bit difficult to pinpoint exactly where in the resort the conflict is coming from.  At this point, you may have to disconnect all A/P's from the switch, then plug them in one by one until the conflict occurs again.  This should tell you exactly which A/P the device is connecting to.  Unfortunately, with WiFi, it might be a bit labour intensive.

MrC
0
 

Author Comment

by:excell-tec
ID: 39243317
I actually did disconnect them all and I did figure out which one it is, but that doesn't tell me how to resolve it. As soon as I connect it every computer on the network gets an IP address conflict error.  There's got to be a reason and resolution because all resorts have wifi like this and I can't imagine that devices just come in and crash it.  All the things you mentioned are how you suggested to set it up.  I know it is very cut and dry but it literally kills the whole network which luckily I now have separated from the office PC's so they are no longer being affected.  Any other suggestions?
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39243327
There's a somewhat crude way of  of doing it.  Leave that specific A/P disconnected, and wait for calls from your guests.  Have them power off the device, bring it to your front desk, and then power it on.  If it crashes the network, you'll at least know which device is doing it.  In the meantime, none of your other guests will be impacted.  And of course, you will have to apologize to the guests who are in range of that particular A/P when it's disconnected.
0
 

Author Comment

by:excell-tec
ID: 39243330
I'll run that by the manager.  It has been going on for a couple weeks so I have a feeling its been multiple devices and since they are time shares it may not be very good to upset them.  I'll let you know what happens.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39243332
Do you know what region of the resort this specific A/P covers?

You could be proactive and contact them in advance, letting them know that one or more specific devices are causing network problems for the entire resort.  Most people will understand that you're doing trouble shooting and cooperate without too much complaining.
0
 

Author Comment

by:excell-tec
ID: 39243334
Yes I do
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39243342
That is a weird problem to have as all the computers get the IP address conflict.

Can you try a different A/P, perhaps the A/P itself has gone rogue.

Did you try putting the rogue A/P on a different switch or firewall port?

Are you the WiFi provider to the resort? If not, perhaps your WiFi vendor might have some suggestions.

What hands out the IP addresses, a central Host computer or something else?
0
 

Author Comment

by:excell-tec
ID: 39243345
I installed the wifi last summer. I am there IT consultant.  It only recently started happening but I guess it might be possible that its the access point.  I'll try a different one.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39243346
I would think that it's better to have 90% of your guests operational, and 10% off-line, than it is to have 100% of them off-line, and that's how I would describe it to the owners of the hotels we service.  Would it be hard to contact the various guests that are serviced by this A/P to give them a heads up that their Internet connection is going to be down until you can isolate the device that's causing the problem?

Depending on your switch and whether or not it has VLAN capacity, you could also isolate each A/P to its own VLAN.  This would separate every A/P to its own network.  However, then you have to get into the scenario of routing between VLAN's and the Firewall which is likely more complex than you need to get.
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39243348
Does the message tell you the conflicted IP address, can you post a screen shot?
0
 

Author Comment

by:excell-tec
ID: 39243350
Yes and in the logs it is the computers own IP.  I can't show you now, I will try to post a picture later.
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39243351
If you're lucky the other A/Ps will make up the coverage, some guests might suffer low signal though.

Ask the resort manager to keep any affected rooms vacant if possible to buy some additional troubleshooting time.
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39243375
Possible temporary  band-aid: You might be able to put a router between the A/P and firewall. Give the router the IP address of the A/P so it can communicate with the gateway. Change the A/P configuration to work with the router. Tell the router to hand out IP addresses in a specific range. That way you know it cannot create a DHCP conflict.
0
 

Author Comment

by:excell-tec
ID: 39243381
I have another access point I am implementing right now.
0
 

Expert Comment

by:AdminMonkey
ID: 39243400
Are you sure there is only one DHCP server listening and responding on your network?

How long has the issue been occuring by now? How long do guests stay at the resort? One or two weeks? If it was a guest, would they likely be gone now?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39243841
What is your actual network setup?? What kit do you have (apart from clients)?
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 39244793
IP address conflict happens only when same subnet IPs are used somewhere else...

check following:

1. ensure dhcp pool subnet shud not be used else
2. Check the lease time  shud be idential everywhere, possibly it is causing ip conflict
3. ensure your firewall settings are not mishandled

get back
0
 

Author Comment

by:excell-tec
ID: 39245755
I think I found an access point that somehow reset to factory default making it the same ip ast the router. I have since put it back to connecting to just one firewall and taking the other router out of the equation because now devices either don't obtain an ip or they do and still cannot browse the web. I have a sonicwall firewall, cisco switch, and engeneus access points. Am I possibly entering the wrong dns servers in the access points? That's the only thing I can think of. My server 2008 does dns and the sonicwall does dhcp. What am I missing? I set these networks up a million times... UGH
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39245991
Why not let your 2008 Server handle both DHCP and DNS.
0
 

Author Comment

by:excell-tec
ID: 39246001
Because I couldn't get it to work through the sonicwall. If you can help me figure that out maybe it would resolve the issue.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246002
Let me see if I understand this.  Your server 2008 is on the outside of the firwall?
0
 

Author Comment

by:excell-tec
ID: 39246011
AN to switch which is what the server and everthing else on the network are connected to.
0
 

Author Comment

by:excell-tec
ID: 39246014
That didn't post correctly.
0
 

Author Comment

by:excell-tec
ID: 39246018
My internet connection goes into my firewall and out to a switch (LAN). Out from there it connects to my server, LAN, and access points.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246023
The DHCP services of Server 2008 will actually test to see if other DHCP services are running.  If DHCP services are running on the SonicWall, and if the server and Firewall are on the same network (based on the IP subnet), then the DHCP services will fail to start because of the presence of another DHCP server.

If you disable DHCP on the Sonicwall, you should have no problems configuring and running the DHCP server on the 2008 server.
0
 

Author Comment

by:excell-tec
ID: 39246084
So do you think that's going to fix my problem?
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246106
No, but I have another course of action that can be taken once we get the services running from the proper device.

As I understand it, you've identified that there is an Access point and the Firwall that are the conflicting devices, is that correct?
0
 

Author Comment

by:excell-tec
ID: 39246112
They are not anymore. Just to double check, since the server will do DNS and have forwarders to the ISP's DNS the DNS I configure in the access points is only the servers IP correct?
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246137
Yes, that is correct.  You could potentially list one of your ISP's DNS servers as the "backup" DNS server just in case your Windows server is ever offline.

On another note, and I know this is going to spark a bit of debate, I prefer to use the "root hints" option of MS DNS services rather than "forwarders".  Both are acceptable, however when using the root hints, you query the authoritative servers directly.  Although this adds a bit of time to the "round trip" of a DNS query (we're talking milliseconds), it also ensures that DNS updates are refreshed much more quickly.  Your DNS server will hold items in cache for (typically) an hour.  Who knows how long your ISP's DNS servers store their cache.  You could end up with significant delays when other websites change IP addresses.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246141
Are you saying that the A/P and the Firewall now have different  (static) IP addresses -- yet you continue to have problems when the A/P is attached to the network?
0
 

Author Comment

by:excell-tec
ID: 39246152
Yes, but the issue is no longer IP conflicts. Devices either don't obtain an IP and can't connect or even if they do connect and obtain an IP they can't get to a web page. Its fricken weird man. Its like there's a ghost in the system...
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Expert Comment

by:MrC63
ID: 39246162
Does this only occur with this particular A/P connected, or does it occur even when it is disconnected?
0
 

Author Comment

by:excell-tec
ID: 39246176
Its not with just that one connected. If I connect them one at a time the try connecting it usually works for a little bit and then after a few minutes its like everything dies...
0
 

Author Comment

by:excell-tec
ID: 39246179
I have all repeaters and bridges in other buildings turned off also. All I have are wired access points which is why it makes no snese why its not working.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246185
Ok, now I'm starting to form a hypothesis.

I'm beginning to think that your DHCP scope on the Sonicwall is not properly excluding various addresses that are either static, or absolutely required by your network.  At some point, you're running into additional overlap of IP addresses.

I would really like to see you get your DHCP services onto the 2008 server.  I can give you a lot more guidance about setting up the scope, reservations and static addresses from there -- and ultimately that's what your server should be doing, not the firewall.
0
 

Author Comment

by:excell-tec
ID: 39246203
Ok, I will be doing this all on Monday. My scope on the firewall is 10.16.0.150-10.16.0.254. All printers are 10.16.0.30-10.16.0.40. Acces points and repeaters are 10.16.0.11-10.16.0.29. Server is 10.16.0.22. Firewall is 10.16.0.1. Unless I'm missing something I don't see a problem and shouldn't need reservations. I am going to set it up on the server but use forwarders because that's what I am more used to and ill set it all up the same way.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246213
I assume you're referring to DNS when you talk about continuing to use forwarders  (I'm just trying to keep the specific issues separate)?  If my assumption is correct, I'm fine with that.  As I said, neither is absolutely right or wrong.  The root hints option simply allows the cache to be updated more accurately and efficiently, but both options work just fine.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246221
What kind of switch are you using, and is it a "managed" switch?  If it is, it probably has its own IP address.  

Here's a further hypothesis.  When we install one or more managed switches (that requires their own IP addresses) we usually put them at the opposite end of the network range from the firewall, i.e. if the firewall is xx.xx.xx.1, then we put the first switch at xx.xx.xx.254, the second switch at .253, etc.

I would guess your switch is a managed switch. I'm also guessing that it's been assigned a static address of .254.  This address now exists within your DHCP scope, and as soon as 100-odd devices attach to the network, you now have a conflict with your switch's IP address, which then brings the whole system down after a short period of time.

Does this seem like a possibility to you?
0
 

Author Comment

by:excell-tec
ID: 39246230
It is an unmanaged switch.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246243
I like what you've done in terms of identifying specific ranges for your various device styles (printers in one range, A/P's in another).  It seems a bit unusual however that your server would be assigned into a range where non-related devices exist.

Based on the "ranges" you've identified for specific devices, it appears that your server is located in the same range as the Access points.  Would it be difficult for you to reassign the server's static IP address to something like 10.16.0.5, and keep it completely isolated from the ranges you've assigned for other devices?
0
 

Author Comment

by:excell-tec
ID: 39246253
Actually I can't because that's the IP of the old one and the software they run is RDS application and has to stay that which is why I had no choice but to do it that way.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246257
The first reason I like DHCP reservations is because it allows me to quickly see, at a glance, all of the devices on the network.  Essentially, it's a quick and easy 'inventory' method.

Reservations also absolutely ensure that there is never an IP conflict, regardless of the IP address that is assigned to the reservation.  Even if I assigned a reservation to a device that would normally be part of the assignable DHCP scope, the reservation ensures that the IP address I've reserved for this device is never assigned to another device.
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39246259
Hmmm.....just wondering

Access points and repeaters are 10.16.0.11-10.16.0.29
Server is 10.16.0.22

So, the Access points and repeaters are skipping the .22 - right?
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246260
If you can't assign it to .5, you should still be able to assign it to .6, or .7 -- or something that would get it out of the range you normally assign to other, dissimilar devices.
0
 
LVL 4

Expert Comment

by:MrC63
ID: 39246270
@PCableguy, that's exactly what I was wondering which is why I suggested moving the server IP address away from that block of addresses.
0
 

Author Comment

by:excell-tec
ID: 39246275
It does skipp 22 and like I say there software vendor would not want me to change it.
0
 

Author Comment

by:excell-tec
ID: 39246280
I could change the IP's of the access points and just lessen the dhcp scope. Its a little overkill is size right now.
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39246329
Is there a lot of network traffic when it dies, or does it die to the point of no network traffic?

The reason I ask is I once saw a hotel network come to a grinding halt because one room/PC on the network was hogging all the bandwidth, but a visual inspection of the MDF closet switch ports showed one port with lights blinking very rapidly.
0
 

Author Comment

by:excell-tec
ID: 39246333
Its possible its on device because as soon as I power them up 50 things connect to it. I have no idea of determining what it is though...
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39246335
In our case we had the ability to limit the bandwidth per user, so we didn't need to find the culprit, we capped the bandwidth per user.
0
 

Author Comment

by:excell-tec
ID: 39246340
How do you that when there is nothing for them to log onto?
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39246364
We used Nomadix gateways to manage our networks. All the Internet traffic passed through it, it was also the DHCP server. In our case, the users would log onto a splash page that was on the Nomadix, the Nomadix would authenticate, then the user can access the Internet.

http://www.nomadix.com/pdfs/Products/Platforms/AG%202400%20Datasheet.pdf

Perhaps you can accomplish something similar with your Windows 2008 server.
0
 

Author Comment

by:excell-tec
ID: 39246369
Hopw much does it cost and does it use a lot of the servers resources?
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39246397
Sorry :-(, I was not the administrator, just the troubleshooter, cannot answer any cost or configuration questions.

Perhaps someone else is reading this and can offer some advice on Internet gateway and management options.

What's the model number of the Sonic firewall?
0
 

Author Comment

by:excell-tec
ID: 39260403
Ok, I installed a new switch, configured the server to do DHCP and DNS which is all working great.  The Sonicwall is  TZ100 and the wireless is working on there great also.  If I plug a cable into the switch I get an IP< DNS and everything is correct.  I reset one of the AP's to default and started over and plug it into the same switch and when I connect to it it doesn't give me an IP or anything.  Nothing makes sense. Nothing is conflicting...
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39261398
Is that bad AP remotely located? Sorry if I'm on the wrong track, but my advice assumes the AP is remotely located.

You might have a bad cable or connector. You can take a laptop to where the AP is located and use the same cable on your laptop to get a DHCP. You can also take the AP to the switch to see what happens there.

Are you using Power over Ethernet (POE) for the APs? If so, be careful don't plug the laptop onto the Ethernet cable while the POE is active. Plus the POE power supply can be bad too for that AP, assuming you are using one.
0
 

Author Comment

by:excell-tec
ID: 39296338
This issue is still not resolved.  Here is where I am at... I have about a dozen engenious enh210's connect to a designated port on a sonicwall TZ105 granting only internet access with the sonicwall as the dhcp server.  Sometimes they work properly, sometime they broadcast strong but devices cannot get on the internet.  Also, the Engenious repeaters I bought seem to not work properly as repeaters even though they are configured as repeaters... Do i just through all the engenius stuff away because sonicwall support says its all set up correctly...? I read that this brand was good but I will tell you I am thoruoghly unimpressed... Help if you can.
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39298804
Sorry to hear you still have issues.

Just wondering, what is the bandwidth of the WAN Connection?

Are there any other wireless APs in the area from other businesses besides you network? The reason I ask is that can cause issues.
0
 

Author Comment

by:excell-tec
ID: 39309816
50mb internet.  Yes there are other resorts whos signals are picked up here.
0
 
LVL 12

Expert Comment

by:PCableGuy
ID: 39319528
You can test the WAN connection with a laptop at the MDF closet by doing a bandwidth test to make sure it's still 50MB. Use sites like http://www.speedtest.net/ to get a general idea. Test it at various points inside and outside of the your firewall.

General advice on wireless interference: http://searchnetworking.techtarget.com/answer/How-to-stop-channel-interference-on-80211x-wireless-access-points

I have never seen it, but wireless phones in guest rooms can cause issues, this is mentioned in the web page above.
0
 

Accepted Solution

by:
excell-tec earned 0 total points
ID: 39553198
There camera system was conflicting and was not made aware it existed until now.
0
 

Author Closing Comment

by:excell-tec
ID: 39567855
I fixed it
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
belkin wifi stick 12 83
network + 7 73
How often can a passive RFID be polled? 10 49
Resource cost of NAT vs routing 3 28
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now