A duplicate IP address has been detected on the network
This rule generates an alert when Windows® detects that he local machine’s IP address is in conflict with one or more identical IP addresses on the network.
Until the IP address conflict is resolved, remote clients and applications may have difficulty accessing resources on any of the effected computers. Additionally, the local computer may not be able to access network resources.
Related Events
This rule generates an alert whenever the following events occur and are recorded in the System Event Log:
The system detected an address conflict for IP address %2 with the system having network hardware address %3. The local interface has been disabled.
Source: TCPIP; Event ID: 4198The system detected an address conflict for IP address %2 with the system having network hardware address %3. The local interface has been disabled.
Another computer on the network is using the same IP address.
There is a duplicate media access control (MAC) address on the network. Duplicate MAC addresses can occur if you are assigning locally administered addresses (LAA), usually in Token Ring adapter drivers.
If there is an IP address conflict and your network uses Dynamic Host Configuration Protocol (DHCP), DHCP can automatically supply a new IP address:
Go to the command line
Type ipconfig /release and press ENTER
Type ipconfig /renew and press ENTER
If there is an IP address conflict and your network uses static IP addresses, obtain an available unique IP address from your network administrator and replace the current IP address with the new IP address.
If there is a duplicate MAC address on the network, you must determine which other computer on the network is using the same MAC address. To isolate the duplicate MAC address, perform the following steps from a working TCP/IP-based client:
From the command line, ping the IP address found in the event log entry by typing PING%IP Address%.
Verify that the device’s MAC address is the duplicate of the address found in the event log by typing ARP -a %IP Address%.
Retrieve the NetBIOS name of the duplicate computer by typing NBTSTAT -a %IP Address%.
A ”Host Not Found” message indicates that the duplicate device is not NetBIOS-enabled. Examples of devices that are not NetBIOS-enabled include Novell and UNIX servers, routers, and printers directly attached to the network.
After you locate the device with the duplicate address, you can either replace the network adapter or, if you are using LAA, change the address to one that is unique on the network.
For more information, see Microsoft® Knowledge Base Article: 164903, “How to Troubleshoot Duplicate Media Access Control Address Conflicts,” at http://go.microsoft.com/fwlink/?LinkId=28866.
Target | Microsoft.Windows.Server.2003.OperatingSystem | ||
Category | EventCollection | ||
Enabled | True | ||
Event_ID | 4199 | ||
Event Source | TCPIP | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | System |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Windows.Server.2003.OperatingSystem.IPAddressConflict.Alert" Enabled="onEssentialMonitoring" Target="Microsoft.Windows.Server.2003.OperatingSystem" ConfirmDelivery="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>TCPIP</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>4199</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2003.OperatingSystem.IPAddressConflict.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>