Jump to content

Archived

This topic is now archived and is closed to further replies.

Zurd

Duplicate IP addresses on network cause by VPN and RDP

Recommended Posts

Products used: ESET Endpoint Security 7.0.2091.0 with ESET Management Agent 7.0.577.0 and Detection Engine 19287 (20190501)

Operating System: Windows Server 2016 Standard and Windows 7 or 10 computers

ESET RAC: ESET Security Management Center (Server), Version 7.0 (7.0.577.0) and ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)

Problem: Both ESET RAC and each computer running ESET Endpoint Security will display an alert message saying "Duplicate IP addresses on network" but there shouldn't be any message.

Cause of the problem: It can be easily reproduced by logging with a VPN then with RDP.

Details: Let's say you have a Windows Server with a DHCP service and also a VPN service. The DHCP range is 192.168.0.50 to 192.168.0.100. On your own network, log in with a VPN to this Windows Server. This will make the server give you an IP address, for example 192.168.0.60, you can see it by running ipconfig on your own computer, there will be a PPP adapter section. Then, log in with RDP to a computer on the network of the Windows Server, for example 192.168.0.55. At this point, the Windows Server will have in its DHCP table, the IP 192.168.0.55 as a type DHCP for the computer on it's network and also the IP 192.168.0.60 as a type RAS (Remote Access Service) which comes from the VPN and more specifically in Routing and Remote Access Service in Server Manager of the Windows Server. To sum it up, there's is no duplicate IP but ESET thinks that there is and it will report the VPN IP 192.168.0.60 as a duplicate IP.

ESET's knowledge base doesn't have a solution: https://support.eset.com/kb3430/?viewlocale=en_US

One solution would be to whitelist all the IP of the DHCP server but this is a dirty solution as you want to be alerted if something is not a false positive on your network. More information on whitelist here: https://support.eset.com/kb2939/

A better solution, would be to restrict the IP given out of the Windows Server of the VPN to something like 192.168.0.200 to 192.168.0.220 and then whitelist only those IP's but I would prefer not to whitelist anything.

 

 

Share this post


Link to post
Share on other sites

The detection should be correct. You should be able to confirm it using Wireshark and the arp.duplicate-address-detected filter.

You can set up an IDS exclusion for an IP range to be excluded from detection of identical IP addresses.

Share this post


Link to post
Share on other sites
10 hours ago, Marcos said:

You can set up an IDS exclusion for an IP range to be excluded from detection of identical IP addresses.

If we set an IDS exclusion for an IP range, doesn't that defeat the purpose of having ESET's firewall?

Isn't there any other solution like an option to disable the duplicate IP message? Whitelisting IP's just for a false positive is extreme. It's actually more than just a false positive, it's just a duplicate IP, it is in no way an attack on the network.

Share this post


Link to post
Share on other sites

You can only decide whether to be notified about duplicate IP addresses or not. There's no other third option.

It is NOT a false positive. As I wrote, you should be able to see duplicate addresses even in Wireshark so it has absolutely nothing to do with ESET.

Share this post


Link to post
Share on other sites

Yes, if I whitelist the IP range in ESET's IDS (Intrusion Detection System), I won't be notified about duplicate IP addresses. However, I also won't be notified when a real intrusion or attack occurs. We might as well uninstall ESET's firewall? Wouldn't that achieve the same goal?

I don't understand why you say it has nothing to do with ESET. The warning message of duplicate IP comes from the software ESET. It has everything to do with this software. Wouldn't it be a good idea to add, in the future, an option to not warn about duplicate IP?

 

Share this post


Link to post
Share on other sites

ESET only notifies you about machines with duplicate IP addresses in the network. You can enable advanced network protection logging in the advanced setup -> tools -> diagnostics, reproduce the detection, then disable logging, gather logs with ESET Log Collector and provide me with the generated archive. I will then post a screen shot from Wireshark that will show different MAC addresses reported in ARP responses from a particular IP address(es).

If you don't want to create any exclusions, you should ensure that only one MAC address is reported from a particular IP address.

Share this post


Link to post
Share on other sites

Yes, there is a duplicate IP detected. I don't have to do this test, I believe you that there is one. That is not the issue.

Like I said before, what about having an option in ESET to not warn about duplicate IP? But just those warnings without having to whitelist anything.

Share this post


Link to post
Share on other sites

After some research, I just found out there is an option already in ESET in IDS to disable the duplicate IP addresses messages. You do not need to whitelist any IP which would be a bad security decision and which shouldn't be suggested by ESET's administrators.

To disable those warning, go into Settings / Network Protection / Network Attack Protection / IDS Exceptions, click Edit then Add. Choose Duplicate IP addresses and set to No all of them which are Block, Notify and especially Log so you will not see those alerts in ESET RAC.

If you have ESET RAC, you can create a custom policy with this and assign it to all of the computers easily.

Share this post


Link to post
Share on other sites

Exactly, that's what I was suggesting - to set up an IDS exception:

image.png

Share this post


Link to post
Share on other sites

You should have posted this before or just answered my questions better and we wouldn't have wasted so much time.

You should add this information about IDS exceptions of duplicate IP in your knowledge base, that will save time for others: https://support.eset.com/kb3430/?viewlocale=en_US

Share this post


Link to post
Share on other sites
30 minutes ago, Zurd said:

You should have posted this before or just answered my questions better and we wouldn't have wasted so much time.

You should add this information about IDS exceptions of duplicate IP in your knowledge base, that will save time for others: https://support.eset.com/kb3430/?viewlocale=en_US

Not siding with ESET support, however, this is basic networking knowledge, not ESET endpoint problem. 

Share this post


Link to post
Share on other sites

Indeed, an alert message coming from ESET's software is not ESET problem.

The developer's of ESET never put that message there, they have nothing to do about it, this is basic computer knowledge :)

eset-duplicate.png

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...