Identical IP addresses detected in network

Hi all,

Having been a long time user of ESS I recently let it lapse for several months as I found the irritations were staring to outweigh the benefits. However yesterday I thought I would bite the bullet and give v4 a go and so renewed a 5 licence business edition for two years.

Initial impressions were pretty good but I am having a problem with firewall events such as the following

Column Name Value
Firewall Id Firewall 132557
Client Name Office
Computer Name Office
MAC Address 0013721c31d4
Primary Server Office
Date Received 2009-07-10 08:20:13
Date Occurred 2009-07-10 08:16:22
Level Critical Warning
Event Identical IP addresses detected in network
Source 192.168.2.55
Target 192.168.2.60
Protocol ARP
Rule
Application
User

It doesn't tell me anything actually helpful, like which of the IP addresses listed it considers to have duplicates, however as .60 is the XP machine that ESS is running on and .55 is a Linux machine I am assuming the latter. However I can find no evidence with arp or arping of there being a duplicate and even if there is, things have been running perfectly happily for years now with that IP. The Linux server is running quite a complicate networking schema with dual ethernet cards and bridged and NAT'd networking but that is all quite standard nowadays so there should be no issue with that.

ESS in it's wisdom now seems to have decided to block any access to .55 which means that I can no longer access my server from my XP box. If I disable ESS I can connect, when I reenable it I cannot. I have looked in the rules to see if it has added a blocking rule for that IP that I could disable individually but can't see one.

So I am looking for a way of
1) Telling ESS that it's very nice of it to tell me of the warning but really I am happy to keep accessing that IP
2) Finding out what ESS uses to detect (apparently falsely) duplicate IP.

I have just checked on the latest status and am also getting the same error from other Windows boxes (XP and Vista) in my network about .55 but also about .56 which is the IP of the other ethernet card in the same server, which is not bridged. ESS seems to be getting very confused about something and blocking me access to that machine even though it is in my trusted network. Furthermore my firewall logs also contain several of the following entries

Column Name Value
Firewall Id Firewall 132544
Client Name Office
Computer Name Office
MAC Address 0013721c31d4
Primary Server Office
Date Received 2009-07-09 18:36:48
Date Occurred 2009-07-09 18:31:47
Level Critical Warning
Event Detected ARP cache poisoning attack
Source
Target
Protocol 0
Rule
Application
User

and

Column Name Value
Firewall Id Firewall 132497
Client Name Office
Computer Name Office
MAC Address 0013721c31d4
Primary Server Office
Date Received 2009-07-08 19:57:09
Date Occurred 2009-07-08 19:53:11
Level Critical Warning
Event Detected DNS cache poisoning attack
Source 192.168.2.1:53
Target 192.168.2.60:61394
Protocol UDP
Rule
Application
User

Again without knowing what it is that it uses to detect such things it's very difficult to follow through. In the case of the DNS cache attack above, .1 is my Smoothwall DHCP and DNS server anyway, so does it think it's attacking itself or that something is attacking it? It's all very confusing with such limited information. It would be much more helpful if these alerts could have a link to a page explaining how the detection has taken place and how you then go about tracking down and resolving the issue.

So, anyway, less than 24 hours into my new install of ESS v4 and it is gradually cutting me off from bits of my network and so has been disabled, which I'm sure was not the intended purpose. Anyway light that could be shed on the above and how to get round it would be most appreciated.

Regards

Phil