Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Identity NAT issues with Server 2008

Has anyone out there had issues using Identity NAT and Windows Server 2008?   We have a client that recently upgraded their Windows 2k3 server to 2008, and started getting "Duplicate IP" messages on their 2008 boxes.  Through some testing we were also able to reproducethe issue with Windows 7, but not XP.

We got rid of the the ID NAT, and added the communication to our NAT exemption ACL and the problem went away.

This has happened at 2 different client sites, but neither gave us enough time to really dig into why this was happening.

I suspect it has something to do with GARP and how the new MS platforms interpret it, but that's really a guess.  I'm not very strong on the MS side.

New Member

Re: Identity NAT issues with Server 2008

The only time I have seen this type of issue with the scenario you are describing is when steps were skipped in the upgrade/migration of servers.

There are 4 primary reasons for this problem.

1) DNS/AD was not properly preped.

LOOK FOR = duplicate device by name/ip

SOLUTION = Resolve the conflict on the system by changing the name/ip or update DNS/AD

2) Hardware Re-used

LOOK FOR = duplicate mac/ip

SOLUTION = remove bad cache or introduce new hardware

3) TCP/IP stack has problems.

LOOK FOR = improper TCP/IP behavior

SOLUTION = run the command (netsh ip int reset reset.txt)

4) Proxy ARP Cache

LOOK FOR = {EDIT}  someone is broadcasting (like a cisco pix or asa) for arp.

SOLUTION = turn off gratuitous ARP by setting the value of the ARPRetryCount to 0.

Based on information already provided and without any additonal troubleshooting do the following.

1) reset tcp/ip stack (problem 3)

2) check for duplicate mac address' (problem 2)

3) turn off gratuitous arp (problem 4)

4) resolve dns/ad issues (problem 1)

The only exception would be if i knew starting off that DNS/AD was never properly preped I might look at it sooner.


if I were to place money on a problem I would pick problem 4 as the most likely.

To save you some confustion here are the steps to do number 4:

1.  Click Start , type regedit in the Start Search box, and then press ENTER. 

2.  Locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 

3.  On the Edit menu, point to New , and then click DWORD Value . 

4.  Type ArpRetryCount . 

5.  Right-click the ArpRetryCount registry entry, and then click Modify . 

6.  In the Value data box, type 0 , and then click OK . 

7.  Exit Registry Editor. 


CreatePlease to create content