What should I do when Vigor Router is getting the message “ARP Address Mismatch” in Syslog ?

When WAN interface could not work in Static or Dynamic mode, and syslog is getting the message “Arp address mismatch – Source MAC address doesn’t match ARP Sender’s MAC address”, that means the Vigor Router has regarded the ARP packet as illegal and drops it since its Ethernet source address does not match the MAC address of ARP sender. This happens when ISP responses ARP request by another device, and by default, Vigor Router will drop those ARP reply packets. In this case, Administrator should enable Vigor router to accept illegal ARP response, or it will cause Internet connection to fail.

Here comes two methods to accept illegal ARP response:

Setup on Web UI (On firmware version 3.8.8 or later)
Telnet commend (On firmware version 3.8.7 or older)

Setup on Web UI (On firmware version 3.8.8 or later)

1. Go to Firewall >> Defense Setup, then click Spoofing Defense

2. On ARP Spoofing Defense,

Disable “Block ARP replies with inconsistent source MAC addresses.” to accept illegal ARP source mac reply packets.

Disable “Block ARP replies with inconsistent destination MAC addresses.” to accept illegal ARP destination mac reply packets.

Click OK

After enabling Vigor to accept illegal ARP packet, from the packets captured between Vigor router's WAN and ISP, we can see that the Sender MAC address and the Source MAC address which responses the router's ARP request may be different.

Telnet commend (On firmware version 3.8.7 or older)

1. Telnet into Vigor Route

2. Enter command “ip arp accept 1”, and it will return “Accept illegal ARP source mac REPLY packets.”

3. Reboot the router.

4. After enabling Vigor to accept illegal ARP packet, from the packets captured between Vigor router's WAN and ISP, we can see that the Sender MAC address and the Source MAC address which responses the router's ARP request may be different.

5. To disable Vigor from accepting those packet, please enter the telnet command “ip arp accept 0”, and it will return “Drop illegal ARP source mac REPLY packets.

Similarly, the ARP reply packets will be regarded as illegal when Ethernet destination address does not match the MAC address of ARP receiver. To allow Vigor Router to accept those packets, please enter telnet command “ip arp accept 3”; and disable the feature by “ip arp accept 2”,

Published On:2020-11-04

Was this helpful?

Related Articles

How to avoid IP Spoofing by Vigor Router?

Show VRRP MAC in the ARP table

Related Article

How to block an unknown IP address which keeps dialing VPN to Vigor Router?

How to use Digital Signature (X.509) to authenticate IPsec VPN between a Vigor3900/2960 and Vigor Router?

Enhancing DNS Security in Vigor routers to protect users from malware and phishing

Products

VPN Routers

Load Balancing Routers

DSL Modem Routers

LTE Routers

Access Points

PoE Switches

All Utilities

Resources

Product Live Demo

Latest Firmwares

FAQs

Knowledge Base

Case Studies

Submit a Ticket

Product Lifecycle

About

About DrayTek

Why Vigor Router ?

Authorized Partners

Contact Us

Newsroom

Security Advisory

DrayTek SDL

© Copyright DrayTek Corp.

Sitemap

Terms & Conditions

Privacy

EN 台灣/繁中

DrayTek website uses cookies.

By continuing to browse this website, it means your agree to our cookie usage policy. To find out more about the cookies we use, see our Privacy Policy