Same IP address but different MAC addresses

asked 2023-10-27 19:21:48 +0000

xLucasDR gravatar image

updated 2023-10-27 19:29:18 +0000

Guy Harris gravatar image

Hi all

"I'm facing an issue in my network, and after a packet capture, I identified something strange.

Basically, I have a Palo Alto firewall that serves as my CORE. I have one segment for some servers and another for the users.

My user connects via SSH to a server, but after 10 to 15 seconds, they lose the connection.

In my packet capture, I observed several RST (Reset) packets coming from the same IP (server's IP). However, the MAC addresses are different from those of other servers."

edit retag flag offensive close merge delete

Comments

Is your packet capture being done on a machine on the same LAN segment as the server or on a segment bridged to the segment the server is onr?

If not, to what machines do those MAC addresses belong?

Guy Harris gravatar imageGuy Harris ( 2023-10-27 19:31:51 +0000 )edit

Let me try to explain:

LAN ------ FIREWALL------SERVERS - with some server 10.10.10.0/24

I'm capturing the packets from my Firewall

example Source 192.168.0.10/24 Destination 10.10.10.150/24 port 22

On my pcap I see a lot of RSTs using this source 10.10.10.150 BUT with different mac addresses

I checked those mac addresses and they correspond for other servers on the same segment like 10.10.10.60, 10.10.10.35, etc

xLucasDR gravatar imagexLucasDR ( 2023-10-27 20:19:50 +0000 )edit

Are these servers in a load balancing configuration?

Jaap gravatar imageJaap ( 2023-10-27 20:45:12 +0000 )edit

LAN ------ FIREWALL------SERVERS

There appear to be two networks there, one of which is the LAN into which the firewall is connected, and the other of which is the network that the servers are on; the firewall is connected to both networks.

I checked those mac addresses and they correspond for other servers on the same segment like 10.10.10.60, 10.10.10.35, etc

So those are servers on the second of the two networks I mentioned?

So you're seeing packets with the source MAC address of a server, one of whose IP addresses is 10.10.10.60, with a given source IP address, and also seeing packets with the source MAC address of another server, one of whose IP addresses is 10.10.10.35, with the same source IP address?

Guy Harris gravatar imageGuy Harris ( 2023-10-27 20:59:23 +0000 )edit

I can see only one IP Address 10.10.10.150, but on the layer 2 section of the packets I see a different MAC address, mac address from 10.10.10.60, 10.10.10.35, etc

xLucasDR gravatar imagexLucasDR ( 2023-10-28 02:40:37 +0000 )edit