Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9865
Views
0
Helpful
3
Replies

MAC spoofing messages in Symantec

tremendous1970
Level 1
Level 1

‎01-20-2014 04:59 AM

L.S.,

I have a Zyxel NBG6716 router. When I connect my Windows 7 64-bit laptop to it I have no problem.
However, when I connect to my work through VPN (Cisco AnyConnect Secure Mobility Client version 3.1.04066) I get lots of MAC spoofing messages from Symantec Endpoint Protection. In the security logfile of Symantec Endpoint Protection I can see that the spoofing is done mostly from the ipadres and mac-address of the Zyxel router.
Sometimes a mac-address 00-11-22-33-44-55 appears in the Symantec log.
The exact message in Symantec : "Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer.". The packet data is per mac-address the same.
When I disconnect my VPN, the messages do not appear anymore.
When I use the same VPN connection at my work, I do not get any messages in Symantec.

Can someone please help me solve this problem? It is a very annoying problem, because everytime my VPN connection is disrupted and I get thrown out of my server session.

Greetings,
Toine

tremendous
Newbie
Newbie
Posts: 1
Cash: 2
Joined: Mon Jan 20, 2014 7:10 pm
Labels:
0 Helpful
3 Replies 3

Chetan Savade
Level 1
Level 1

‎01-29-2014 03:41 AM

Hi,

I am Chetan Savade from Symantec Technical Support team.

This was a known issue with release prior to SEP 11 RU5. What's the SEP client version is installed?

Meanwhile refer this article:

Anti-MAC spoofing enabled on RU5 blocks access to router (x.x.x.1 IP address) with "Error: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer."

http://www.symantec.com/docs/TECH96608

Regards,

Chetan

0 Helpful

tremendous1970
Level 1
Level 1
In response to Chetan Savade

‎01-29-2014 04:14 AM

Chetan,

I don't know where I can find the RU version, but the version in the about screen has number 12.1.2015.2015.

Regards,

Toine

0 Helpful

Chetan Savade
Level 1
Level 1
In response to tremendous1970

‎01-29-2014 06:14 AM

Hi,

It's a SEP 12.1 RU2 version. SEP release details are available here:

http://bit.ly/m0vOJp

If it's a managed client create IPS policy exclusion & exclude router IP address.

Refer the following threads:

http://www.symantec.com/connect/forums/endpoint-protection-blocks-my-routers-ip-address

http://www.symantec.com/connect/forums/anti-mac-spoofing

Regards,

Chetan

0 Helpful
Customers Also Viewed These Support Documents