About 50 Pending macs for one host? Beware of Windows 10 random MAC feature for WLAN!
-
@Tom-Elliott @Wayne-Workman @george1421 here come my dublettes, i ran a report from pdq inventory for all macs from all systems and broke it down to dublettes and sorted em, here is the list (argh):
IT3394 00:11:6B:66:3C:89 IT3755 00:11:6B:66:3C:89 IT2658 00:50:56:C0:00:01 IT3256 00:50:56:C0:00:01 IT3905 00:50:56:C0:00:01 IT4004 00:50:56:C0:00:01 IT4027 00:50:56:C0:00:01 IT4092 00:50:56:C0:00:01 IT2658 00:50:56:C0:00:08 IT3256 00:50:56:C0:00:08 IT3905 00:50:56:C0:00:08 IT4004 00:50:56:C0:00:08 IT4027 00:50:56:C0:00:08 IT4092 00:50:56:C0:00:08 IT2980 02:80:37:EC:02:00 IT3210 02:80:37:EC:02:00 IT3271 02:80:37:EC:02:00 IT3286 02:80:37:EC:02:00 IT3394 02:80:37:EC:02:00 IT3445 02:80:37:EC:02:00 IT3456 02:80:37:EC:02:00 IT3460 02:80:37:EC:02:00 IT3503 02:80:37:EC:02:00 IT3514 02:80:37:EC:02:00 IT3540 02:80:37:EC:02:00 IT3776 02:80:37:EC:02:00 IT3832 02:80:37:EC:02:00 IT3299 0A:00:27:00:00:00 IT3909 0A:00:27:00:00:00 IT2740 18:A9:05:C4:D4:30 IT3254 18:A9:05:C4:D4:30 IT3811 34:64:A9:15:C9:E6 IT3944 34:64:A9:15:C9:E6 IT3524 AA:F3:20:52:41:53 it4244 AA:F3:20:52:41:53
What should or what can i do now? Damn there is no it4314 in the list.
Regards X23
-
@x23piracy The good news is I only see 7 unique MACs in that list. Add those to the mac filter in the web interface.
Also, how did you even get into this situation? Did you get some new devices recently? Image some new stuff? Create a new image in a VM? What caused this?
-
@x23piracy Tom and I were chatting last week, and it was his impression that your issue may be related to a mac address for a virtual adapter like a microsoft virtual adapter.
I think that your pdq inventory query only returns mac addresses for physical adapters (??). In that case these virtual ones would not be found. According to Tom the pending mac addresses come from the FOG client sending all discovered mac addresses to the FOG server.
(this following is my personal opinion/) I feel its a flaw in the FOG client, in that it should ONLY send physical mac addresses and leave the virtual ones alone. Because its possible for usb/bluetooth/vpn/etc adapters to have soft mac addresses that could be generated each time a device is plugged in. (/my personal option)
Its also possible if you don’t sysprep the golden image that these duplicate mac address are coming from and the same as the mac addressed defined in the golden image.
Now that you might have a list of 7 or 8 from your initial query. Go to a number of them and dump the output of
ipconfig /all > %hostname%_mac.txt
(warning I did not test that command so user beware). compare these 7 or so systems to see if any mac address is consistent. If that is the case then that mac address is your filter address for FOG (at least from what I understand chatting with Tom). -
@Wayne-Workman hell idk i was ill some days and not at work, then i came back and saw the pending macs after i got two new devices for new starters i woud like to image (deploy). Then i mentioned these lot of pending macs from it4314. but the two new devices have nothing todo with it for sure.
Sorry i have no idea what happened. i hate such problems but i will figure that out.
@george1421 ipconfig /all > %hostname%_mac.txt will not destroy something, harmless
-
@george1421 It’s more a fog 0.x design flaw that has been carried forward. I understand that @Joe-Schmitt is using UUIDs in the designs for fog 2.0 so this won’t be a problem in the future.
-
@Wayne-Workman said in About 50 Pending macs for one host?:
@george1421 It’s more a fog 0.x design flaw that has been carried forward. I understand that @Joe-Schmitt is using UUIDs in the designs for fog 2.0 so this won’t be a problem in the future.
@Joe-Schmitt is there maybe a way to discard sending macs from virtual adapters with the current fog client, please? Maybe before 2.x?
@george1421 yes, it seems that your are right with pdq inventory, no macs for virtual adapters i didn’t mentioned that i was just wondering why there were some empty cells in the excel export, thats the answer.Regards X23
-
@x23piracy said in About 50 Pending macs for one host?:
ipconfig /all > %hostname%_mac.txt will not destroy something, harmless
This is harmless. What it does it this
ipconfig /all
lists all of the network adapters with all data. You may be able to get just the mac addresses of all network adapters if you have powershell or VB skills. I was just looking at quick and easy.
> %hostname%_mac.txt
sends the output ofipconfig /all
to a file titled%hostname%
of the computer and_mac.txt
. Then you can manually review this file for like mac addresses. Tom gave you a clue to what the troubled mac address could be. You will need to be Shurlock Holmes and find it. -
@Tom-Elliott @george1421 @Wayne-Workman i could get the desired info from most of the system i found with duplicate macs:
it3210: https://pastebin.com/NLU4uZjM
it3256: https://pastebin.com/4ek2esnT
it3286: https://pastebin.com/KnQ8PWZK
it3905: https://pastebin.com/BKREi3Fu
it4004: https://pastebin.com/v3kxZrk2
it4027: https://pastebin.com/sC01izYN
it4092: https://pastebin.com/v7p1SbZvWhat i found out so far:
00:50:56:C0:00:01 VMWare
00:50:56:C0:00:08 VMWare
02:80:37:EC:02:00 WWAN Device (H5321) Ericsson
00:11:6B:66:3C:89 still unclear (Systems are currently not connectable)Edit:
I could Check it3394 for the 00:11:6B:66:3C:89 mac but the system does not have any device with that mac associated so what should i do know? Set the both vmware macs oon the filter list and also add the wwan device?
My pending mac list ist getting fuller and fuller actually there are more then 300 pending macs from it4314, i need to get rid of this.
Regards X23
-
@x23piracy said in About 50 Pending macs for one host?:
Set the both vmware macs oon the filter list and also add the wwan device?
Correct.
-
@Wayne-Workman i’ve done the following:
I will now delete all pending macs to see if they come back or not.
Regards X23
-
@x23piracy You can do partial filters.
Meaning you could do:
00:50:56,02:80:37
so Any mac address that matches the prefix will be filtered.
-
@Tom-Elliott ok i’ve shortened it to the first 3 octetts like you recommended. I’ve read the hint for the setting but i thougth filtering until mac change would be better, but i did what you told me
-
@Tom-Elliott @Wayne-Workman the first pending mac is back
argh oh nooo
I cannot find this MAC Adress (d2:b1:a5:d6:12:7c) on any MAC Vendor list, this sounds to me like a virtual adapter too.
Would it be a good idea to also filter d2:b1:a5 without any research? -
@x23piracy we need to found it why it thinks it’s it4314 first.
-
@Tom-Elliott sorry i really would do this but i am a little bit lost with it what should i do next? any help is appreciated.
-
@x23piracy You can look in the access log and hopefully see the host that applied this mac address.
-
172.19.101.150 - - [08/Jun/2017:13:18:25 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:18:27 +0200] "GET /fog/service/usertracking.report.php?action=login&user=it4314%5Ccca&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 583 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:20:37 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:23:08 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:24:19 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:26:44 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 belongs to IT4314 hrhr
-
So what we know, so far, is it appears IT4314 IS registering these pending macs?
-
@Tom-Elliott after chatting with tom we decided to remove the fog client from it4314, i also removed all the pending macs again. Now lets wait what happens.
-
@Tom-Elliott Information about IT4314
ipconfig /all
Windows-IP-Konfiguration Hostname . . . . . . . . . . . . : it4314 Prim„res DNS-Suffix . . . . . . . : haan.local Knotentyp . . . . . . . . . . . . : Hybrid IP-Routing aktiviert . . . . . . : Nein WINS-Proxy aktiviert . . . . . . : Nein DNS-Suffixsuchliste . . . . . . . : haan.local carbolite.local Ethernet-Adapter Ethernet: Verbindungsspezifisches DNS-Suffix: haan.local Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I219-LM Physische Adresse . . . . . . . . : 40-B0-34-11-A6-D2 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Verbindungslokale IPv6-Adresse . : fe80::6844:9327:ec81:4731%11(Bevorzugt) IPv4-Adresse . . . . . . . . . . : 172.19.101.150(Bevorzugt) Subnetzmaske . . . . . . . . . . : 255.255.252.0 Lease erhalten. . . . . . . . . . : Donnerstag, 8. Juni 2017 13:20:03 Lease l„uft ab. . . . . . . . . . : Freitag, 9. Juni 2017 13:20:03 Standardgateway . . . . . . . . . : 172.19.100.1 DHCP-Server . . . . . . . . . . . : 172.19.100.9 DHCPv6-IAID . . . . . . . . . . . : 54571060 DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-20-3C-5E-9A-40-B0-34-11-A6-D2 DNS-Server . . . . . . . . . . . : 172.19.100.9 172.19.100.10 NetBIOS ber TCP/IP . . . . . . . : Aktiviert Drahtlos-LAN-Adapter LAN-Verbindung* 2: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter Physische Adresse . . . . . . . . : F4-8C-50-49-D1-AE DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Ethernet-Adapter Bluetooth-Netzwerkverbindung: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network) Physische Adresse . . . . . . . . : F4-8C-50-49-D1-B1 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Drahtlos-LAN-Adapter WLAN: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: haan.local Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260 Physische Adresse . . . . . . . . : 72-3F-F5-26-FF-6C DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja
Installed Software:
Network devices in device manager: