Reserved IP address taken by unknown device

Hello All,

I have an odd issue, recently I moved all printers from a Windows server 2008 VM to a physical 2008 R2 server with Print management role installed. It all went smoothly except for one of the Multifunction printers which has decided not to print.

The strange thing I found is that I can ping the IP Address of the MFP when the LAN cable is out leading me to believe that another device has taken this IP. Strange thing is that this is a reserved address on our DHCP server. The MFP will print after I pull out and replace the power cable for 5 minutes then it will stop printing again shortly after, I have 2 of of these devices which are Olivetti MF250 Colour MFPs, the other one works fine and I can access the the web interface with no problem.

I have run every command I can think of to find out which host has this IP address, nbtstat -A <ipaddress>, NSLOOKUP <ipaddress> even tried traceroute. Our spice works can find it either. It's driving me nuts. This particular IP address is configured on the device so it must have this IP so I can't simply change it.

so in nut shell......

Moved printer from a VM, the MFP worked before then
Its now on a Physical box, 2008 R2 print server
I can ping the IP address and get a response when LAN cable is out
CMDs have  been no help.

If any one has any ideas I'd appreciate the help


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Few things you can do are...
- unplug your device that you use run a ping -a <ip> (this will give you the FQDN or try and resolve the netbios name, which might help in determining it).

If no netbios name is returned it might be a network appliance, from my personal experience they do not like to return status unless they are configured to.

You could also check DNS Manager and see what IP has been registered with the same IP you are using.

Even though you are using a reservation someone still could mistakenly add a static address of the IP you are using to a network device.

Similar issue happened to me once. Here was what worked for me.
Unplug the printer and ping the ip to find out what is the mac address of the device responding. Do an oui search, to have a good guess on the type of device holding the researved ip.

For me it was a new cisco switch that a fello colleague connected unknowingly, which took reserved ip of a workstation running some special software.

I did "sh mac-" and "sh arp"  to trace the mac until i found the port connecting the device.

There must be smarter ways, it was my manual effors.
gam1002Author Commented:
Hi will,

Thanks for your response, I have tried all those things. What we have here is a ghost of sorts.

Nothing shows up in DNS manager or DHCP manager other than the reserved IP details. I have just turned off all Printers and PCs in the company and still I get a response from ping. I've removed the reservation and re added it with no luck, these lease list only shows one count and if delete it from the lease list which in-turn deletes the reservation itself, and I can still Ping it.

The IP address is, I can ping this no matter what, but nothing I do tells me what is using it. I've used all cmd lines relevant. I've also released the DNS cache too.

Nslookup says domain is non-existent for this IP

Another thing I should mention is that i have just moved our Trend Antivirus software to the same physical server, I don't think this is causing the issue as the other exact same MFP is working. I've checked all network cards and they are all automatically assigned by DHCP.

Very Confusing.

JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

bbaoIT ConsultantCommented:
> I can ping the IP address and get a response when LAN cable is out

that does mean another host is using the given IP address.

if there is only one subnet and all hosts are in the same subnet, you may use Miftaul's suggestion to find out the hiding device.

another way is to check your DHCP manager to see which host is using the IP.
Did you try within your switch fablic, which port is that particular ip sourcing from. That way we could narrow down the possiblity.

If we could find the port, we can then concentrete on the device connecting to that port to check whats going on.
On your Cisco switch you can find the port by:

sh arp | include [ip address]


sh mac address-table | include [mac address]

this should return the switch port that the device is connected on. Any documenation on the switch ports should be able to trace back to device, room number, etc.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Martin AndersonSystem AdminCommented:
the fact that you should down all the devices and still able to ping sounds like a network appliance, switch, hub,
Markc56 suggestion should work.
gam1002Author Commented:
Thanks for your help, weirdest issue I've ever had.
What device was taking the ip. Was that any network device.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.