Identical IP addresses detected in network

Discussion in 'ESET Smart Security' started by pcoombes, Jul 10, 2009.

Thread Status:
Not open for further replies.
  1. pcoombes

    pcoombes Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3
    Hi all,

    Having been a long time user of ESS I recently let it lapse for several months as I found the irritations were staring to outweigh the benefits. However yesterday I thought I would bite the bullet and give v4 a go and so renewed a 5 licence business edition for two years.

    Initial impressions were pretty good but I am having a problem with firewall events such as the following

    Column Name Value
    Firewall Id Firewall 132557
    Client Name Office
    Computer Name Office
    MAC Address 0013721c31d4
    Primary Server Office
    Date Received 2009-07-10 08:20:13
    Date Occurred 2009-07-10 08:16:22
    Level Critical Warning
    Event Identical IP addresses detected in network
    Source 192.168.2.55
    Target 192.168.2.60
    Protocol ARP
    Rule
    Application
    User

    It doesn't tell me anything actually helpful, like which of the IP addresses listed it considers to have duplicates, however as .60 is the XP machine that ESS is running on and .55 is a Linux machine I am assuming the latter. However I can find no evidence with arp or arping of there being a duplicate and even if there is, things have been running perfectly happily for years now with that IP. The Linux server is running quite a complicate networking schema with dual ethernet cards and bridged and NAT'd networking but that is all quite standard nowadays so there should be no issue with that.

    ESS in it's wisdom now seems to have decided to block any access to .55 which means that I can no longer access my server from my XP box. If I disable ESS I can connect, when I reenable it I cannot. I have looked in the rules to see if it has added a blocking rule for that IP that I could disable individually but can't see one.

    So I am looking for a way of
    1) Telling ESS that it's very nice of it to tell me of the warning but really I am happy to keep accessing that IP
    2) Finding out what ESS uses to detect (apparently falsely) duplicate IP.

    I have just checked on the latest status and am also getting the same error from other Windows boxes (XP and Vista) in my network about .55 but also about .56 which is the IP of the other ethernet card in the same server, which is not bridged. ESS seems to be getting very confused about something and blocking me access to that machine even though it is in my trusted network. Furthermore my firewall logs also contain several of the following entries

    Column Name Value
    Firewall Id Firewall 132544
    Client Name Office
    Computer Name Office
    MAC Address 0013721c31d4
    Primary Server Office
    Date Received 2009-07-09 18:36:48
    Date Occurred 2009-07-09 18:31:47
    Level Critical Warning
    Event Detected ARP cache poisoning attack
    Source
    Target
    Protocol 0
    Rule
    Application
    User

    and

    Column Name Value
    Firewall Id Firewall 132497
    Client Name Office
    Computer Name Office
    MAC Address 0013721c31d4
    Primary Server Office
    Date Received 2009-07-08 19:57:09
    Date Occurred 2009-07-08 19:53:11
    Level Critical Warning
    Event Detected DNS cache poisoning attack
    Source 192.168.2.1:53
    Target 192.168.2.60:61394
    Protocol UDP
    Rule
    Application
    User

    Again without knowing what it is that it uses to detect such things it's very difficult to follow through. In the case of the DNS cache attack above, .1 is my Smoothwall DHCP and DNS server anyway, so does it think it's attacking itself or that something is attacking it? It's all very confusing with such limited information. It would be much more helpful if these alerts could have a link to a page explaining how the detection has taken place and how you then go about tracking down and resolving the issue.

    So, anyway, less than 24 hours into my new install of ESS v4 and it is gradually cutting me off from bits of my network and so has been disabled, which I'm sure was not the intended purpose. Anyway light that could be shed on the above and how to get round it would be most appreciated.

    Regards

    Phil
     
Thread Status:
Not open for further replies.