ARP Cache Poisoning detection when connecting to a NIC Teamed device

Discussion in 'ESET Smart Security' started by GeneNZ, Jul 22, 2009.

Thread Status:
Not open for further replies.
  1. GeneNZ

    GeneNZ Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    6
    Hi there,

    I've got an interesting issue in ESS Business Edition v4.0.437, which prevents us from accessing Windows 2008 servers configured with Intel NIC Teaming. Several of our servers are running Intel Adapter Teaming as part of the Intel Advanced Network Services (ANS). These NIC teams have been setup using Adaptive Load Balancing (as opposed to 802.3ad Link Aggregation). When I try connect to one of these servers via the network (using services such as VNC or simple windows file sharing), I am unable to connect to the machine. With the firewall disabled, everything is fine.

    I have investigated the issue, and it appears it is part of the ESS Firewall IDS, in which we receive "Detected ARP cache poisoning attacks". Disabling this feature on the IDS allows us to connect to machine with the ESS firewall enabled.

    From a highlevel networking point of view, I can see why the firewall is blocking it, as the Intel software maybe generating a pseudo-MAC address for the teamed NIC's. As a result, ESS detects it and prevents network traffic.

    The interesting thing is that I can only see it happening with the Intel ANS software only. We have a Dell Poweredge 1950 with onboard broadcom NIC's running the broadcom NIC Teaming software with no issues. We also have several linux servers using the built in NIC bonding software, and there is no issue.

    Does anyone have any clue how to fix this without having to outrightly disabling this check in the IDS.

    Thanks in advance.

    Gene
     
  2. jerick70

    jerick70 Registered Member

    Joined:
    Feb 28, 2008
    Posts:
    53
    I am having this exact same issue. Did you contact Eset tech support for a resolution?
     
  3. MathewG

    MathewG Former ESET Support Rep

    Joined:
    Apr 9, 2009
    Posts:
    41
    Hello GeneNZ,

    Try updating your NIC drivers on the servers. Also, make sure you are running the latest build of the ESET software.
     
  4. jerick70

    jerick70 Registered Member

    Joined:
    Feb 28, 2008
    Posts:
    53
    To fix this problem I had to:

    I had the newest 4.0.437.0 Eset Smart Security Installed.

    Reinstall drivers from scratch.

    1) Break the NIC team
    2) uninstall the Intel NIC drivers on the server.
    3) Reboot.
    4) Install the newest 14.3 PROSet drivers from Intel's website.
    5) Recreate the NIC team.
    6) Readdress the NIC team.
    7) Reboot.

    An install over the top of the old drivers did not fix the issue.

    Hope this helps someone. :)
     
Thread Status:
Not open for further replies.