What should I do when Vigor Router is getting the message “ARP Address Mismatch” in Syslog ?

When WAN interface could not work in Static or Dynamic mode, and syslog is getting the message “Arp address mismatch – Source MAC address doesn’t match ARP Sender’s MAC address”, that means the Vigor Router has regarded the ARP packet as illegal and drops it since its Ethernet source address does not match the MAC address of ARP sender. This happens when ISP responses ARP request by another device, and by default, Vigor Router will drop those ARP reply packets. In this case, Administrator should enable Vigor router to accept illegal ARP response, or it will cause Internet connection to fail.

Here comes two methods to accept illegal ARP response:


Setup on Web UI (On firmware version 3.8.8 or later)

1. Go to Firewall >> Defense Setup, then click Spoofing Defense

a screenshot of Defense setup

2. On ARP Spoofing Defense,

  1. Disable “Block ARP replies with inconsistent source MAC addresses.” to accept illegal ARP source mac reply packets.
  2. Disable “Block ARP replies with inconsistent destination MAC addresses.” to accept illegal ARP destination mac reply packets.
  3. Click OK
a screenshot of Spoofing Defense

After enabling Vigor to accept illegal ARP packet, from the packets captured between Vigor router's WAN and ISP, we can see that the Sender MAC address and the Source MAC address which responses the router's ARP request may be different.

a screenshot of packets

Telnet commend (On firmware version 3.8.7 or older)

1. Telnet into Vigor Route

2. Enter command “ip arp accept 1”, and it will return “Accept illegal ARP source mac REPLY packets.”

a screenshot of Accept illegal ARP response command

3. Reboot the router.

4. After enabling Vigor to accept illegal ARP packet, from the packets captured between Vigor router's WAN and ISP, we can see that the Sender MAC address and the Source MAC address which responses the router's ARP request may be different.

a screenshot of packets

5. To disable Vigor from accepting those packet, please enter the telnet command “ip arp accept 0”, and it will return “Drop illegal ARP source mac REPLY packets.

a screenshot of command

Similarly, the ARP reply packets will be regarded as illegal when Ethernet destination address does not match the MAC address of ARP receiver. To allow Vigor Router to accept those packets, please enter telnet command “ip arp accept 3”; and disable the feature by “ip arp accept 2”,

a screenshot of command

Published On:2020-11-04 

Was this helpful?