Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Any idea what DTL-1-ARP_POISON_DETECTED means?

Recently upgraded a remote 1231-AG AP to run in LWAPP mode. The controller talks to the AP; AP's running in Local mode since it doesn't support REAP or HREAP. Remote clients are not getting IP addresses.

It's my understanding... since the AP is running in Local mode, the DHCP server must reside where the WLC is located. I enabled DHCP server on the WLC.

When I had a remote client try authenticating, I see the following in the message logs:

Jun 21 11:00:29.746 dtl_net.c:1191 DTL-1-ARP_POISON_DETECTED: STA [00:13:ce:e3:40:6c, 0.0.0.0] ARP (op 1) received with invalid SPA 169.254.208.65/TPA 169.254.208.65

Anyone see this error before?

1 REPLY
Green

Re: Any idea what DTL-1-ARP_POISON_DETECTED means?

Nope, I sure haven't. However, ARP poisoning is one method of establishing a man-in-the-middle attack.

Basically the attacking machine convinces both sides that the MAC of the attacking machine is the Client / AP/Server that the other is trying to communicate with. It does this by "poisoning" the ARP cache with the attacker's MAC.

So that's (likely) the "poison" reference.

The 169.254 addresses are provided by (at least) Microsoft when DHCP fails.

Check to see if the client you were using has a wireless MAC of 00:13:ce:e3:40:6c (STA = Station), STA [00:13:ce:e3:40:6c, 0.0.0.0] = MAC and current IP address of that station.

SPA = Single Packet Authentication - Here's a link for a Google search, pick a link or two that you trust and read all about it.

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GWYA,GWYA:2005-06,GWYA:en&q=secure+packet+authorization

Sorry I don't have a specific answer, but perhaps (given that you know exactly what the setup was/is), you can piece something together.

Good Luck

Scott

2457
Views
0
Helpful
1
Replies
CreatePlease to create content