Meraki

Community

Alert unexpected packets.

Evert
New here
‎Aug 8 2023 4:07 AM
‎Aug 8 2023 4:07 AM

Alert unexpected packets.

We have some devices for building management, which are connected to the internet via our MX-84. In the logging I see a lot of alerts"Client: 10.10.1.156, MAC: AC:CC:8E:8E:7B:12, VLAN: 2, details: sent 129700 unexpected packets (Last seen packet IP=169.254.164.225)". 

 

What does this mean?

Labels:
0 Kudos
5 Replies 5
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 8 2023 6:54 AM
‎Aug 8 2023 6:54 AM

Hi,

 

this is the IP spoofing kicking in : https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/IP_Source_Address_Spoofing_Protecti...

0 Kudos
In response to RaphaelL
Evert
New here
‎Aug 8 2023 7:46 AM
‎Aug 8 2023 7:46 AM

Hi,

 

Thanks for answering, you mean both IP addresses, 10.10.1.156 and the (Last seen packet IP=169.254.164.225) are both in use on the device?

0 Kudos
In response to Evert
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 8 2023 7:54 AM
‎Aug 8 2023 7:54 AM

Probably that the device with MAC XXXXXXXX is sourcing packets with the IP 169.254.164.225 which is not a valid IP for vlan '2'

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Aug 8 2023 4:28 PM
‎Aug 8 2023 4:28 PM

It looks like the MX 84 has registered (either assigned from its own DHCP pool or other) that the MAC address should match IP address 10.10.1.156.

However, the client does not have that IP address and is sending DHCP requests (hence the 169.254.164.225 IP address).

0 Kudos
Isigma
New here
‎May 8 2024 8:22 PM
‎May 8 2024 8:22 PM

The MAC in question belongs to AXIS Communication device (a security camera or a door access unit). AXIS by default has "link-local" or "fallback" IP address setting turned on. This means, unless that feature turned off, the device periodically advertises its self-assigned backup IP address, and ready to use as a main address it in case DHCP server is not present on the network. That address is in APIPA range 169.254.x.x. 
Since the DHCP or statically assigned main IP address and this fallback address are coming from the same device, Meraki catches that subnet mismatch in the logs. It is harmless, but you can turn off fallback setting on the camera, and it will stop appearing in the logs.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.