Any idea what DTL-1-ARP_POISON_DETECTED means?

Unanswered Question
Jun 21st, 2007
User Badges:

Recently upgraded a remote 1231-AG AP to run in LWAPP mode. The controller talks to the AP; AP's running in Local mode since it doesn't support REAP or HREAP. Remote clients are not getting IP addresses.

It's my understanding... since the AP is running in Local mode, the DHCP server must reside where the WLC is located. I enabled DHCP server on the WLC.

When I had a remote client try authenticating, I see the following in the message logs:

Jun 21 11:00:29.746 dtl_net.c:1191 DTL-1-ARP_POISON_DETECTED: STA [00:13:ce:e3:40:6c,] ARP (op 1) received with invalid SPA

Anyone see this error before?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
scottmac Thu, 06/21/2007 - 15:38
User Badges:
  • Green, 3000 points or more

Nope, I sure haven't. However, ARP poisoning is one method of establishing a man-in-the-middle attack.

Basically the attacking machine convinces both sides that the MAC of the attacking machine is the Client / AP/Server that the other is trying to communicate with. It does this by "poisoning" the ARP cache with the attacker's MAC.

So that's (likely) the "poison" reference.

The 169.254 addresses are provided by (at least) Microsoft when DHCP fails.

Check to see if the client you were using has a wireless MAC of 00:13:ce:e3:40:6c (STA = Station), STA [00:13:ce:e3:40:6c,] = MAC and current IP address of that station.

SPA = Single Packet Authentication - Here's a link for a Google search, pick a link or two that you trust and read all about it.,GWYA:2005-06,GWYA:en&q=secure+packet+authorization

Sorry I don't have a specific answer, but perhaps (given that you know exactly what the setup was/is), you can piece something together.

Good Luck



This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode