Sonicwall taking all of dhcp addresses, causing ip conflicts?

I have a deployment consisting of a SonicWall firewall connected to a Cisco switch managing VLANs and DHCP. Four Ubiquiti enterprise switches are connected downstream from the Cisco switch. The Cisco switch handles six VLANs: 10, 20, 30, 50, 100, and 172. The firewall is in VLAN 10, and the rest of the networking equipment is in VLAN 172. I inherited this setup.

We are expanding this site so i need to add a handful of extra APs to the building, However, i noticed that when i connect an AP to the first switch downstream from the cisco, the cisco shuts down the uplink port, hence bringing down the whole network down.

Lately, I’ve been testing monitoring software and discovered numerous IP conflicts on VLAN 172, despite devices being statically assigned within a reserved IP block. Checking the ARP table reveals that the SonicWall is claiming most of the IPs from VLAN 172, leading to conflicts and potentially causing a loop. This issue results in the port being shut down, only recovering after unplugging and replugging the uplink from the Cisco to the rest of the switches.

I’m at a loss despite checking and triple-checking configurations. Any guidance on resolving this issue would be greatly appreciated.

It seems to pick up addresses, then drop them, then pick them back up, is just a whole mess.

image907×628 10.1 KB

for example, here is a conflict, this is an IP in a reserved DHCP scope, and the sonicwall should not have it at all

Thank you guys and gals!

if the range for the VLAN172 is .100-.250 that tells me one AP is not configured properly and it pulls a .35 address.

well, so the 172 vlan is a /24 and i have the first 100 ip addresses excluded from dhcp. but check this extract from my arp table:

OASC-CORE#sh ip arp vlan 172
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.3.172.2 - ecc8.821c.5746 ARPA Vlan172
Internet 10.3.172.32 2 e438.8321.e596 ARPA Vlan172
Internet 10.3.172.31 0 e438.83e9.4a81 ARPA Vlan172
Internet 10.3.172.36 2 e438.8321.a801 ARPA Vlan172
Internet 10.3.172.35 0 e438.8321.e032 ARPA Vlan172
Internet 10.3.172.39 0 e438.8321.e9ec ARPA Vlan172
Internet 10.3.172.1 0 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.37 2 e438.8321.b58f ARPA Vlan172
Internet 10.3.172.6 3 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.7 205 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.8 31 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.9 32 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.101 3 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.102 203 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.103 17 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.104 39 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.105 245 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.106 194 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.107 211 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.108 192 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.109 86 2cb8.ed59.bc68 ARPA Vlan172
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.3.172.110 153 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.111 133 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.112 121 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.113 180 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.114 146 2cb8.ed59.bc68 ARPA Vlan172
Internet 10.3.172.115 95 2cb8.ed59.bc68 ARPA Vlan172

you can see 2cb8.ed59.bc68 still taking over excluded addresses. in fact the sonicwall should not have any addresses besides the 10.3.10.1 that is assigned to the lan interface. Is so weird.

clear the arp cache and let the AP’s start getting ip’s in your range.

The DHCP for the AP’s is 10.3.172.1, right?