PSA - Duplicate IP address detected/ARP poisoning attack - resolved

I recently replaced my old Synology mesh system with a new Asus XT9 wifi 6 mesh system (two devices, one router and one access point, connected by wireless backhaul). As you do, with a new router, I have been 'tweaking' the settings, primarily to improve security. So it was a bit disappointing that in the last week or so I have been getting warnings from Eset antivirus that 'a device on your network is sending malicious traffic: duplicate ip address.' This turned out to be the access point, which seemed to have two mac addresses, each of which was being served the same ip address. Sometimes the warning from Eset was more urgent, saying that 'a device on your network is sending an ARP poisoning attack' - again the access point. Strangely, doing a full network scan showed no problems and using the router app and checking security showed very strong security. Wireless network speed dropped from around 400 Mb/s to around 100 Mb/s download.

Last night I found the solution: I had set the network to use WPA2/WPA3 security - because (like many people, I imagine) I have older devices which can only use WPA2 along with newer ones which can use WPA3. Setting this to WPA2 (personal) only has resolved the problem. Now wifi network speed is back up to 400+ Mb/s and no duplicate IP addresses on the network.

I hope this is helpful for anyone struggling with mysterious duplicate ip addresses on their home network. (Of course there could be other causes.)

Statically assigning IP addresses to devices within your DHCP scope with out reserving them will have the same effect

Thanks @neemobeer - I didn't need to use your suggestion, because I was able to resolve the issue (although not as described in the original post above).

Unfortunately after three or four days, the ARP poisoning issue (probably spurious) returned, so I did a lot more research to try to find a solution. Here's the timeline:

My Mesh system was set up Sunday May 7th. I immediately updated the firmware on both routers to the latest available at that time (3.0.0.4.388.23012. Rebooted.

15 May 2023 (although not installed until several days later because of 17th May issue below) ASUS ZenWiFi AX (XT9) Firmware version 3.0.0.4.388.23285 released.

This release included the following:
-The ARP response issue has been resolved, along with the connection issue between the router and the ROG Phone 6 and 7.
-Resolved the issue where the USB path is not displayed on the Media Server page in the AiMesh node
-Resolved the Download Master login issue. Please click the update link in the USB Application to update it.

17th May: It took 48 hours, but the mystery of the mass Asus router outage is solved

Quote from above: “On the 16th, Asus pushed a corrupted definition file for ASD, a built-in security daemon present in a wide range of their routers,” one person wrote. “As routers automatically updated and fetched the corrupted definition file, they started running out of filesystem space and memory and crashing.”

"The mass outage, the company said, was the result of “an error in the configuration of our server settings file.” After fixing the glitch, most users needed to only reboot their devices."

Following the ARP errors I was getting, I tried switching to WPA 2, which necessitated a reboot. This appeared to fix the problem I was having.

However, a few days later the ARP error returned.

I searched for suggestions on a series of web sites and finally came across this although relating specifically to XT8, which is quite similar:

In a reference to the XT8 five months ago: "Yeah these things cost way too much for this nonsense. It seems to have started after I turned on the stuff that goes through trend micro, like traffic analyzer, QoS etc. I turned those off and I'll see how they behave."

For me, QOS was already off, so I tried turning off traffic analyzer, and briefly still had the duplicate IP warning, but the next day it was gone. It has now been two weeks without the problem returning.

TLDR: My take on the above is that the latest firmware specifically corrected the problem, but I couldn't download it for a few days because of the Asus server issue. When I did download it, I needed to reboot (both mesh devices), optimise the system, and reboot both devices again. That, rather than the WPA2 or the traffic analyzer (which I don't use anyway) change probably didn't matter.

John