Troubleshooting ARP Move Log Messages

AZTCO-FW log entries may appear in the system log showing something similar to the following:

AZTCO-FW kernel: arp: 192.168.1.50 moved from c4:0c:5c:69:6c:05 to 62:1e:3e:43:04:0c
˓→on em1

can happen for several reasons.

IP address conflict Two hosts are configured with the same IP address

ARP poisoning Someone on the network is ARP poisoning hosts

NIC teaming Some NIC teaming or bonding configurations will routinely log messages such as this because of the way they function. In these cases, this message is normal.

IP address moved to a different host or NIC If an actively used IP address is reassigned to a different device or different NIC, this message will be logged. This will only occur when an active IP is moved, for instance an expired DHCP lease that later is assigned to a different host will not trigger this as the IP must have an active ARP table entry on the firewall for this to occur.

Apple Bonjour sleep proxy Apple’s Bonjour sleep proxy will cause these logs to appear because of its network behavior. If both of the listed MAC addresses are Apple vendor MACs, this is likely why and can be disregarded as normal behavior.

This logging can be disabled by setting the tunable net.link.ether.inet.log_arp_movements to value 0

under System > Advanced, System Tunables tab.

© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.