Same IP address but different MAC addresses
Hi all
"I'm facing an issue in my network, and after a packet capture, I identified something strange.
Basically, I have a Palo Alto firewall that serves as my CORE. I have one segment for some servers and another for the users.
My user connects via SSH to a server, but after 10 to 15 seconds, they lose the connection.
In my packet capture, I observed several RST (Reset) packets coming from the same IP (server's IP). However, the MAC addresses are different from those of other servers."
Is your packet capture being done on a machine on the same LAN segment as the server or on a segment bridged to the segment the server is onr?
If not, to what machines do those MAC addresses belong?
Let me try to explain:
LAN ------ FIREWALL------SERVERS - with some server 10.10.10.0/24
I'm capturing the packets from my Firewall
example Source 192.168.0.10/24 Destination 10.10.10.150/24 port 22
On my pcap I see a lot of RSTs using this source 10.10.10.150 BUT with different mac addresses
I checked those mac addresses and they correspond for other servers on the same segment like 10.10.10.60, 10.10.10.35, etc
Are these servers in a load balancing configuration?
There appear to be two networks there, one of which is the LAN into which the firewall is connected, and the other of which is the network that the servers are on; the firewall is connected to both networks.
So those are servers on the second of the two networks I mentioned?
So you're seeing packets with the source MAC address of a server, one of whose IP addresses is 10.10.10.60, with a given source IP address, and also seeing packets with the source MAC address of another server, one of whose IP addresses is 10.10.10.35, with the same source IP address?
I can see only one IP Address 10.10.10.150, but on the layer 2 section of the packets I see a different MAC address, mac address from 10.10.10.60, 10.10.10.35, etc