Video Screencast Help

MAC spoofing messages Symantec from router

Created: 20 Jan 2014 | 4 comments

L.S.,

I have a Zyxel NBG6716 router. When I connect my Windows 7 64-bit laptop to it I have no problem.
However, when I connect to my work through VPN (Cisco AnyConnect Secure Mobility Client) I get lots of MAC spoofing messages from Symantec Endpoint Protection (version 12.1.2015.2015). In the security logfile of Symantec I can see that the spoofing is done mostly from the ipadres and mac-address of my router.
Sometimes a mac-address 00-11-22-33-44-55 appears in the Symantec log.
The exact message in Symantec : "Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer.". The packet data is per mac-address the same.
When I disconnect my VPN, the messages do not appear anymore.
When I use the same VPN connection at my work, I do not get any messages in Symantec.

Can someone please help me solve this problem? It is a very annoying problem, because everytime my connection is disrupted and I get thrown out of my server session.

Greetings,
Toine

Operating Systems:

Comments 4 CommentsJump to latest comment

.Brian's picture

There is no option to add exclusions for this. You do have the option to turn off this featurein the firewall policy (anti-MAC spoofing).

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

tremendous's picture

_Brian,

I have seen this option, but I cannot change it. I guess only the system admin can. I can only turn off the firewall completely, but that's not good for security I think cheeky

 

.Brian's picture

I wouldn't recommend turning off the firewall. However, there may be some config on the router whereby it is trying to change your MAC, hence the alerts. It is something your admin may be able to check out. It could possibly be a bug as well but support would need to check this out. I know there was a similar bug like this back in an older 11.x version of SEP.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Did you ever get this sorted out?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.