Saturday, January 15, 2011

Windows 7: IP Address Conflict: Event Viewer

As described in a previous post, I was trying to resolve an "IP address conflict" error message that would pop up when I connected more than one computer to the NetGear FS605 switch on my home network.  The message, in Windows 7, read like this:

Network Error

Windows has detected an IP address conflict.

Another computer on this network has the same IP address as this computer.
I had worked through a number of possible solutions that did not work for me.  Then one source suggested going into Control Panel > Administrative Tools > Event Viewer.  I had to wait a minute while it read its various events.  In its Summary of Administrative Events, I saw some events whose Source was Dhcp-Client.  This Summary seemed to indicate that details were contained in the Microsoft-Windows-DHCP Client Events/Admin log.  In the Log Summary panel at the bottom of the screen, I looked for a log with that name.  I found one and double-clicked on it.  It opened up a list of 343 events.  I sorted these by Event ID.  Event ID 1001 provided this General error message:
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0x1C6F6541080C. The following error occurred: 0x79. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Event ID 1002 (which, like others below, occurred multiple times) provided this message on its General tab:
The IP address lease 192.168.1.64 for the Network Card with network address 0x1C6F6541080C has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
Event ID 1005 was a Warning rather than an Error.  Its General tab said:
Your computer has detected that the IP address 192.168.1.64 for the Network Card with network address 0x1C6F6541080C is already in use on the network. Your computer will automatically attempt to obtain a different address.
Event ID 50034, an Error message, said:
An error has occurred in initializing the adapter 11. Error Code is 0x1004
Chronologically, about half of the events listed on this log had occurred on this particular morning, though I had only been on the computer for about an hour.  Many of them seemed to be spaced about 10 or 11 seconds apart.  I assumed older items scrolled off.  Event 1001 had not occurred in the past several days.  Event 1002 had occurred only once this morning, first thing, when I started up the computer.  All of the events on this log occurred within the first 15 minutes after I restored the computer from sleep (or possibly hybrid sleep).  Maybe that was when this computer B stopped complaining about an IP address conflict.  An Event 1005 was the last one on the log.  Apparently the computer had succeeded, at that point, in finding a different address.

I looked at the Event Log on computer A.  It went back for weeks, so maybe I was wrong about older events scrolling off.  I had installed Win7 relatively recently on computer B.  The Event Log on computer A had the same Event ID numbers.  It also had some others.  On this particular day, it had Event ID 20, which was too long to reproduce here in full, but which started as follows:
The description for Event ID 20 from source Google Update cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
And it also had Event ID 134 on this day:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ". NtpClinet will try again in 3473457 minutes and double the reattempt interval thereafter.  The error was: No such host is known. (0x80072AF9)
It also had Event ID 315, which said:
The print spooler failed to share printer Brother MFC-7340 with shared resource name Brother MFC-7340. Error 2114. The printer cannot be used by others on the network.
And it had Event ID 1014, which said this:
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.
It also had Event ID 4199:
The system detected an address conflict for IP address 192.168.1.64 with the system having network hardware address 1C-6F-65-41-08-0C.  Network operations on this sytem may be disrupted as a result.
There were some other errors that it had not yet had on this particular day.  There were also some that had occurred on this day, but that I have not reported here, at least not yet, because the ones listed above seemed to give me enough to think about for the time being.  These others were Event IDs 8021, 8032, 43029, and 52236.

I looked at the first items of the day.  (These machines were not all set to hibernate or sleep in the same way, if at all.)  On computer A, the first event (other than 43029, "Display is not active") was an Event 4199.  On the Vista laptop, the first event of the day was a 1005, followed by a 4199.  On the WinXP machine, likewise, it was a 4199.  On computer B, by contrast, the first event was Event 1002, and there were no 4199s.  So Event 4199 seemed like it might describe the problem.  I verified that the IP address being referred to on all three machines reporting a 4199 was 192.168.1.64.  (The network hardware addresses reported by Event 4199 varied from one machine and from one Event 4199 message to another.)  That seemed to suggest that I should just reset the IP address on the other machines manually.  I went into IPv4 properties on computer A and changed it to 192.168.1.65.  But I was still unable to go online.  I went into the laptop and tried 192.168.1.66.  While I was there, I noticed that the option to "Obtain DNS server address automatically" was grayed out, and yet there was nothing typed in the manual alternative, so I referred back to my post about OpenDNS and added numbers there.  This did not make a difference on the laptop.  I rebooted and tried again, just in case it would make a difference.  It didn't.  Now I noticed the same thing about computer A, so I added Google's public DNS numbers there.  Somehow -- possibly because I checked the "Validate settings on exit" option -- I wound up in Windows Network Diagnostics on computer A.  It offered this:
Automatically update your network settings
Windows can detect the correct network settings for you.
I thought, why not? and selected "Apply this fix."  It came back with the announcement that troubleshooting had found that "DHCP is not enabled for 'Local Area Connection.'"  And maybe that was true.  But computer A was still not going online.  I went back and saw that it had wiped out what I had just entered.

I noticed, when I went through the troubleshooter on computer A just a moment earlier, that it had the temporary effect of making computer B unable to go online.  I just happened to be at this blog post, and perhaps Blogger was trying to save at that very moment or something.  Anyway, a moment later, Blogger was able to save again.  I was curious about this, so I went back into Event Viewer, sorted for date and time, and hit F5 to refresh.  But no, there were no more recent items, so apparently whatever had happened had been too brief a blip to register on the log.

I tried typing ipconfig in a command box (Start > type "cmd" > type "ipconfig"), on computer A, to see what IP address I had now.  My change to 192.168.1.65 had stuck.  And yet it could not go online.  How was the 65 address conflicting with the 64 address?  Didn't make sense.  I refreshed Event Viewer on computer A.  (I accidentally refreshed this post instead.  Thanks to Blogger, that scrambled what I had written here, so I had to go back and fix it.  That took maybe 20 minutes.)  The last events in Event Viewer on computer A included a 1005 reporting that 192.168.1.64 was already in use on the network.  But ipconfig on computer A reported an IPv4 Address of 192.168.1.65.  So, OK, maybe no more IP address conflicts?  But computer A was still unable to go online.  I rebooted it.  The situation was the same.  The IP address was definitely 192.168.1.65, and there were no new events in the log (from the past 25 minutes or so), and yet I couldn't browse online.  In the command box, I got results from "ping www.ehow.com" on computer B, but not computer A.

On computer B, I went into Control Panel > Network and Sharing Center > Troubleshoot problems > Internet Connections.  That troubleshooter again offered to change my settings.  Since it didn't work last time, I skipped it this time.  It reported the same "DHCP is not enabled" error as last time.  A search for that error led to comments about routers.  Suddenly it occurred to me:  was 192.168.1.64 the only address that the modem was making available -- was that how this worked?  (Note:  I had since discovered that my modem was actually a combination modem/router.)  Consulting my previous post on the modem's part in this drama, I logged into the modem's internal webpage and looked around.  It said that, on the local network, the modem's IP address was 192.168.1.254, but that wasn't what I wanted to know.  That was where I could log into the modem, as I had just done.  But going in the opposite direction, where would the modem find computer B?  There was a log here, too, and it had a bazillion entries saying things like this:
2011/01/15 8:25:35 GMT - L3 - DHCP: Address 192.168.1.64 declined
The date and time reported there were just a few hours earlier.  So it was listening to computer A; it just didn't like what it was hearing.  On the modem's Statistics tab, I found a section containing "LAN Information."  This section reported that the DHCP address was 192.168.1.64.  So maybe that was the address that the switch was supposed to be using?  And then the switch was supposed to generate new IP addresses that the computers could use?

There was a "Routing Table" that seemed to say my ethernet network was connecting to the modem at 192.168.1.254.  That was the "Modem IP Address."  Further down, I saw a "Devices on LAN" section.  This listed two IP addresses as Active.  These were 192.168.1.64 and 192.168.1.65.  It listed two other addresses as Offline.  I hadn't seen those before.  I didn't know what those were for.  The 192.168.1.64 address looked like it was being associated with computer B -- the computer name it showed was partly familiar to me.

I wondered if this table would change if I changed things on the network.  So I unplugged the ethernet connections from the switch, for all computers except computer B.  Then I hit F5 to refresh the modem's webpage.  The name shown for computer B changed slightly, but otherwise these things seemed to be the same.  So the "Devices on LAN" section seemed to be listing all of the addresses from which computers had ever (or at least recently) tried to access the modem.  To test that, I unplugged computer B and plugged in computer A.  On computer A, I changed TCP/IPv4 Properties to specify an IP address of 192.168.1.66.  Sure enough, now the modem's "Devices on LAN" webpage was reporting a fifth entry, for that IP address.  The "MAC Address" reported for 192.168.1.65, on the modem's statistics page, was the same as reported for 192.168.1.66.  Apparently the MAC address was the "network hardware address" referred to in Event 4199 (above).

The modem's statistics page reported, as I say, a DHCP address of 192.168.1.64, and it reported a device on the LAN -- namely, computer B -- at that same address.  Did this mean that computer B was hogging the only available address of 192.168.1.64?  On computer A, I went back into TCP/IPv4 Properties and changed the IP address to 192.168.1.64.  With only computer A connected to the switch and therefore to the modem, I refreshed the modem's webpage.  Now it reported that 192.168.1.64 and 192.168.1.66 (but not 192.168.1.65) were Active, and the name of the computer at IP address 192.168.1.64 was simply "192.168.1.64."  Three of the five items in the Devices on LAN table had identical MAC addresses -- presumably that of computer A.  (The other two were 191.168.1.107 and 125.)

Unfortunately, computer A was not able to go online at this point, even with no other computers connected to the switch, or even with computer A connected directly to the modem.  I wondered if this was due to an internal conflict, in the sense that it now had these three identities.  I did a search for information related to my Motorola model 2210 modem and found a thread where someone said this:
Only one device can be set up as a dhcp client with the 2210.  All other devices will require a static private IP address.
Well, this was daylight.  Another person explained:
The DHCP server will assign only a single IP address, 192.168.1.64. It will be assigned to the first device which makes a DHCP request. Additional DHCP devices will be declined an IP address.
This raised the question of what would have happened if computer A had been the first one to contact the modem.  (For posterity, my search led to a manual for a Motorola 2220, which was apparently similar to the 2210 but had more features.)  To test that, I unplugged the modem and let it sit.  Meanwhile, I changed TCP/IPv4 properties in computer A to obtain and IP address and DNS server address automatically.  Then I powered up the modem, and after it was back online I viewed its webpage from computer A.  That did it.  Under Devices on LAN, it showed only 192.168.1.64.  And it appeared I was right about the internal conflict:  computer A was now able to go online.

It felt, at this point, like the Event Viewer had introduced me to something resembling an intelligent way to resolve networking problems.  I had miles to go.  But this was starting to make sense.  So now, what would happen if I connected computer B to the switch?  I did that.  Now computer B was reporting an IP address conflict.  Computer A wasn't, at least not yet, and ipconfig there continued to report an IP address of 192.168.1.64, but now computer A was not able to go online in the web browser, though it did successfully ping http://www.ehow.com/.  The modem's webpage, duly refreshed, oddly still reported only one Devices on LAN:  192.168.1.64.  I was not presently clear on the name of the computer it was associating with that IP address, but tentatively it appeared that the computer that first approached the modem after a reset would be the one whose real name (i.e., the name I had assigned to it during Windows installation) would appear in the modem's Devices on LAN list.  (The modem's log, which I had erased with the reset, now reported a bunch of new "DHCP: Address 192.168.1.64 declined" errors.)

I still didn't understand why computer B would still gain dominance in terms of Internet access, when both were connected, even if computer A was the one associated with 192.168.1.64.  Life wasn't as easy for computer B this way -- when it wasn't first to the modem, it seemed to struggle more to get online when both were connected to the switch, but ultimately it was able to do so, displaying webpages after one or two refreshes if not right away.

The modem's webpage, viewed on computer B, was hung at this point -- it wasn't reporting statistics, just sitting there with that Win7 spinning hourglass, telling me that it was thinking about it -- so I ran troubleshooting on computer A.  It said, "'Local Area Connection' doesn't have a valid IP configuration," and it said it had fixed that.  Then I was able to see that computer A remained the only item listed in Devices on LAN.  But computer A (and not computer B) was still reporting an IP address conflict, and still couldn't view webpages.

Following another thread, I checked the modem's webpage for information on its range of available addresses.  But there didn't seem to be one.  Even if I found one, it would presumably make no difference.  The modem was going to work only with 192.168.1.64.  Assigning other static IP addresses would apparently not help.  But why would it be better to let computers acquire their own IP addresses, if 192.168.1.64 was the only one available?

I did a revised search.  This led to a webpage with several suggested steps to resolve DHCP problems.  The webpage said that an IP address conflict was one kind of DHCP problem.  It suggested typing (in a command window) "show ip dhcp conflict:".  I tried that.  The reply was, "'show' is not recognized as an internal or external command, operable program or batch file."  An old thread offered this interesting theory, about a system having a modem like mine:
The modem will only hand out one LAN IP address on the network. So the first device to request an IP will be the one to get it. If another device makes a request for an IP it will be denied and that computer will not have internet access.
Another poster in that thread revised that:
Slight correction, the last device to request an address is the one that gets it. So if you have two devices active at once you will get address stealing from each device as the DHCP leases are renewed.
Neither of these seemed to explain what was actually happening on my system.  Any way I sliced it, computer A was the junior partner.  I tried a revised search and then turned to a missing piece of the puzzle:  how did the switch work?  That was a matter for another post.

0 comments: