ARP Cache Poisoning detection when connecting to a NIC Teamed device

Hi there,

I've got an interesting issue in ESS Business Edition v4.0.437, which prevents us from accessing Windows 2008 servers configured with Intel NIC Teaming. Several of our servers are running Intel Adapter Teaming as part of the Intel Advanced Network Services (ANS). These NIC teams have been setup using Adaptive Load Balancing (as opposed to 802.3ad Link Aggregation). When I try connect to one of these servers via the network (using services such as VNC or simple windows file sharing), I am unable to connect to the machine. With the firewall disabled, everything is fine.

I have investigated the issue, and it appears it is part of the ESS Firewall IDS, in which we receive "Detected ARP cache poisoning attacks". Disabling this feature on the IDS allows us to connect to machine with the ESS firewall enabled.

From a highlevel networking point of view, I can see why the firewall is blocking it, as the Intel software maybe generating a pseudo-MAC address for the teamed NIC's. As a result, ESS detects it and prevents network traffic.

The interesting thing is that I can only see it happening with the Intel ANS software only. We have a Dell Poweredge 1950 with onboard broadcom NIC's running the broadcom NIC Teaming software with no issues. We also have several linux servers using the built in NIC bonding software, and there is no issue.

Does anyone have any clue how to fix this without having to outrightly disabling this check in the IDS.

Thanks in advance.

Gene

 

I am having this exact same issue. Did you contact Eset tech support for a resolution?

 

Hello GeneNZ,

Try updating your NIC drivers on the servers. Also, make sure you are running the latest build of the ESET software.

 

To fix this problem I had to:

I had the newest 4.0.437.0 Eset Smart Security Installed.

Reinstall drivers from scratch.

1) Break the NIC team
2) uninstall the Intel NIC drivers on the server.
3) Reboot.
4) Install the newest 14.3 PROSet drivers from Intel's website.
5) Recreate the NIC team.
6) Readdress the NIC team.
7) Reboot.

An install over the top of the old drivers did not fix the issue.

Hope this helps someone.