Any idea what DTL-1-ARP_POISON_DETECTED means?

CSCO10203269 · ‎06-21-2007

Recently upgraded a remote 1231-AG AP to run in LWAPP mode. The controller talks to the AP; AP's running in Local mode since it doesn't support REAP or HREAP. Remote clients are not getting IP addresses.

It's my understanding... since the AP is running in Local mode, the DHCP server must reside where the WLC is located. I enabled DHCP server on the WLC.

When I had a remote client try authenticating, I see the following in the message logs:

Jun 21 11:00:29.746 dtl_net.c:1191 DTL-1-ARP_POISON_DETECTED: STA [00:13:ce:e3:40:6c, 0.0.0.0] ARP (op 1) received with invalid SPA 169.254.208.65/TPA 169.254.208.65

Anyone see this error before?

scottmac · ‎06-21-2007

Nope, I sure haven't. However, ARP poisoning is one method of establishing a man-in-the-middle attack.

Basically the attacking machine convinces both sides that the MAC of the attacking machine is the Client / AP/Server that the other is trying to communicate with. It does this by "poisoning" the ARP cache with the attacker's MAC.

So that's (likely) the "poison" reference.

The 169.254 addresses are provided by (at least) Microsoft when DHCP fails.

Check to see if the client you were using has a wireless MAC of 00:13:ce:e3:40:6c (STA = Station), STA [00:13:ce:e3:40:6c, 0.0.0.0] = MAC and current IP address of that station.

SPA = Single Packet Authentication - Here's a link for a Google search, pick a link or two that you trust and read all about it.

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GWYA,GWYA:2005-06,GWYA:en&q=secure+packet+authorization

Sorry I don't have a specific answer, but perhaps (given that you know exactly what the setup was/is), you can piece something together.

Good Luck

Scott