Ip address flip flop on new xcpng install

Mike_bartz · April 17, 2025, 7:03pm

Good day everyone!

i want to preface this with, im not sure if this is the correct category, or if it should be in the software and web app one. feel free to correct me if im in the wrong spot to keep the forum clean.

I have finally settled on xcpng/xen as a replacement for vmware, and set it up on a r730xd. Ive installed a intel 10g SFP+ card for the vms to share, leaving an onboard 1g connection for management. I set static IP’s via DCHP assignments in my pfSense and everything was good for about an hour. now i get every 50 to 60 minutes a notification from ARPWatch on pfsense of address flipflop, followed 5 seconds later by another alert of it flipping back.
Was there a setting or a netting config ive bunged up, or just outright missed, to cause this?

for reference:

pfsense community edition, with a vlan for the servers
self hosted unifi stack
xcp-ng host on r730xd with 4x1g daughter card and 10g add on card.
1x1g interface connected to a unifi 24 poe switch
1x10g into a uxg 16

pf_alerts, [4/17/2025 9:02 AM]
[firewall name here] - Arpwatch Notification : flip flop - hostname:
ip address: 192.168.10.92
ethernet address: 18:66:da:fb:40:9c
ethernet vendor:
old ethernet address: 00:1b:21:bb:1a:2c
old ethernet vendor:
timestamp: Thursday, April 17, 2025 9:02:15 -0700
previous timestamp: Thursday, April 17, 2025 8:09:00 -0700
delta: 53 minutes

pf_alerts, [4/17/2025 9:02 AM]
[firewall name here] - Arpwatch Notification : flip flop - hostname:
ip address: 192.168.10.92
ethernet address: 00:1b:21:bb:1a:2c
ethernet vendor:
old ethernet address: 18:66:da:fb:40:9c
old ethernet vendor:
timestamp: Thursday, April 17, 2025 9:02:20 -0700
previous timestamp: Thursday, April 17, 2025 9:02:15 -0700
delta: 5 seconds

LTS_Tom · April 18, 2025, 4:43pm

If you look at the back up and forth is something else using that MAC? Also you can search by MAC in UniFi.

Mike_bartz · April 18, 2025, 11:42pm

Hi Tom,

Both mac’s are from the same host. 1 is for the host/management (eth0, 40:9c) and 1 is for the 10g (eth4, 1a:2c). nothing is using those IP’s till now (DHCP range starts at ..10.100), and as far as Unifi can tell, the MAC’s are also alone. ..10.91 is the management, and ..10.92 is the 10g interface. XO is currently on a different host, on a different vlan.

LTS_Tom · April 19, 2025, 10:05am

Odd, but here are some more detailed steps to try:

On pfSense:
- Check Status > DHCP Leases — make sure no MAC address mismatch for .92
- Review your static mappings for typos or duplicates
On XCP-ng Host:
- Confirm 192.168.10.92 only exists once
- Ensure MACs assigned to VMs don’t overlap with host or each other
- You can use grep to filter these results

ip a
xe pif-list
xe vif-list params=all

On VMs:
- Run ip a and ip link inside each to confirm their MACs and IPs
- Make sure no VMs are using .92 unless it’s assigned to one and only one
ARP table On pfSense or a Linux box:

arp -a | grep 192.168.10.92

Mike_bartz · April 22, 2025, 12:09am

Thanks for the commands. i didnt see anything that stood out to me. The arp command on ubuntu didnt return anything though.
i can paste the outputs here if youd like.