Link to home
Start Free TrialLog in
Avatar of it_medcomp
it_medcompFlag for United States Minor Outlying Islands

asked on

IP conflict- how to determine what Cisco device is responding?

I have a remote site with no local tech support. The gateway is a Fortigate firewall. Recently, when trying to sign in to edit firewall rules, I have started getting a logon prompt describing level 15 access and referencing an IOS certificate that cannot be verified. Sometimes it allows the https Fortinet web page login, and sometimes it produces the logon box- obviously a Cisco device. I have tried using an IP scanner but it doesn't allow to browse that IP (Advanced IP Scanner has a dropdown that allows you to see available resources at an IP, such as web pages and FTP sites), and I have not been able to connect via SSH (The only shell option I have is within the Fortigate web administration, and I can't get the page to load reliably for obvious reasons). This site is 3/4 of the way across the country so traveling there is out of the question. I cannot just re-IP the Fortigate for two reasons: I can't get it to save changes, and I can't take down the plant's production gateway from across the country without any kind of guarantee that I'll be able to rescue the device or limit downtime. My goal is to identify the Cisco device, possibly by obtaining the serial number so I can find out who owns it and have them correct it's IP address. I'll welcome any advice as to how to get to that point... Anyone? I appreciate your help.
Avatar of masnrock
masnrock
Flag of United States of America image
You could use a tool such as nmap. But also, what has changed in recent times? Also, have you tried contacting the ISP? There's the possible oddball scenario of a double assigned-IP address.

Are you able to connect to any other systems at that site?
Avatar of it_medcomp
it_medcomp
Flag of United States Minor Outlying Islands image

ASKER

How can nmap help? I'm not terribly familiar with the syntax. It is some sort of conflict for sure- I think there is a Cisco device that was given the same IP address as the existing firewall. I do want to contact the ISP, but I have 3 ISP's at the site and need a serial number or other unique identifier so I know which ISP and which device to contact them about. The address is in our internal 192.168.x.x space, and I can get to switches on the network, but doing a show cdp neighbor doesn't reveal any info about the device.
SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Andy Bartkiewicz
Andy Bartkiewicz
Are you able to remote into a computer at your remote location? If so, once you are connected to a machine on the the same subnet as your mystery device ping the ip address in question. Then, from the command line, type arp -a. That should give you the mac address for the mystery device. From there you should be able to track down what switch port it's attached to.
ASKER CERTIFIED SOLUTION
Avatar of LegendZM
LegendZM
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of it_medcomp
it_medcomp
Flag of United States Minor Outlying Islands image

ASKER

I cannot get into the interface to the Fortigate now- before I could get in to the web interface, but I can't manipulate the device at all now. The unknown device takes over and I can't get into it either... so I tried the arp method and came up with some interesting results. Located at the gateway address, the on-site computer returned a MAC address ending in 11 from the arp -a command. From an offsite computer the arp -a command returned a MAC address ending in C1. There are two switches on site, and show mac-address returned the C1 address on Port 1 on the switch where the Fortigate is plugged in... The other mac address does not show up on the switch tables but arp -a shows that 11 MAC address associated with the gateway IP and also with the next sequential IP address. One of them pops up the login prompt for the Fortigate which is a https page with a certificate warning that produces the login dialog box for the cisco... and the other address is an IIS page for one of our servers. I have all this information now, but what can I do to determine the  Cisco's serial number?
Thanks!
SOLUTION
Avatar of LegendZM
LegendZM
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Andy Bartkiewicz
Andy Bartkiewicz
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of it_medcomp
it_medcomp
Flag of United States Minor Outlying Islands image

ASKER

We were finally able to reconfigure the device. We changed the gateway device's IP then repointed DHCP to that address. We still cannot access the mystery device, but we have identified the ISP and are getting it resolved now. Thanks for the help everyone!
Avatar of it_medcomp
it_medcomp
Flag of United States Minor Outlying Islands image

ASKER

Thanks for the help!