Why do I get IP_MAC_Binding errors (after upgradingUSG)?

tesagig
tesagig Posts: 9
edited April 2021 in Security
Hi, I just updated the firmware on my USG40. Afterwards some of my clients are no longer connected to network.
I found a client (on DHCP) that still was on the network that allowed me to login to USG web UI.
I found in the log for many clients the same error:  IP_MAC_Binding Drop_packet.
Not sure why as internal traffic is supposed to be wide open (LAN1 to LAN1)

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    @tesagig
    Can I know did you configure IP/MAC binding on Lan interface?
    Can issued client get IP address?

  • tesagig
    tesagig Posts: 9
    Yes, I did configure IP/MAC binding.
    At least some clients were unable to obtain IP address. Only after reboot.
  • tesagig
    tesagig Posts: 9
    Seems like the clients want to check for existing MAC-IP binding, and USG is rejecting because it forgot but does not force a new IP?
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    edited May 2020
    @tesagig
    What do you mean clients want to check for existing MAC-IP binding?(check from USG, but cannot access to GUI?)
    If forgot the IP address, you can type: Router> show ip dhcp binding, to check list from console.

  • tesagig
    tesagig Posts: 9
    clients kept IP and DHCP server (on USG) is not giving out new IP to client or is not recording existing IP-MAC binding on the network.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    @tesagig
    What if you type “ipconfig /release” then “ipconfig /renew” in the terminal, the PC still cannot get new IP?
    Can you share what firmware version are you using?
  • tesagig
    tesagig Posts: 9
    I tried this. But IP is kept. I did some research on this and clients typically don't give up IP like this. Actually, some people have to go though great lengths to change IP (i.e. switch to static and then switch back) .

    In any case I woudl not expect to get the error after upgrading USG firmware.

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    @tesagig
    Can you private message configuration for check further?
  • Fender
    Fender Posts: 21  Freshman Member
    Hi, I have the same problem with all of my zywalls on client sites. I have also configured IP/MAC binding on all lan and vlan interfaces, the problem is when you reboot the zywall after a firmware update or just a normal reboot the IP/MAC binding table is reset and empty, but all connected clients will keep their ipaddress from the zywall before the reboot. So the zywall is ingoring and blocking all those ip addreses because they are not listed anymore in de IP/MAC table. Is there a way to save the list before rebooting, or an option in zywall to retain the list?
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    @Fender
    I updated the firmware from 4.35 to 4.38, and the IP/MAC binding still exist. Can you private message the configuration for check further?

Security Highlight