Clients connected incorrect

benny
Getting noticed

Clients connected incorrect

Hi, 

 

When I look on the summary report for our data centre head end VPN concentrator it reports a high amount of clients connected. Drilling down to the clients tab displays all the public addresses that our internal LAN clients are connecting to.

 

Is this correct?

 

I have changed the client tracking from MAC Address  to IP address as we do have a L3 router (switch stack) between our dc hosts and the MX100. Is this the incorrect setting to have?

 

thanks,

Ben

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

Could you post a partial screen shot?

Here are two screenshots to show the "connected clients" 

 

Meraki Clients Connected.jpegMeraki Clients connected 2.jpeg

PhilipDAth
Kind of a big deal
Kind of a big deal

I've only ever used the head ends in NAT mode, and it only shows the source clients (from the LAN or AutoVPN) as being internal clients, everything is what they are accessing.

So you are definitely using VPN concentrator mode?

 

I assume these public IP address are not internal to your company?

What software version is the concentrator using?

Hi Phillip,

 

Yep the MX100 pair are configured as "Passthrough or VPN concentrator" mode. Their only purpose is to terminate the 40 odd MX64's I'm deploying in the branches as VPN tunnels. 

 

Correct, the public addresses in the screenshot are real public IPs that I could only assume our internal clients are reaching and connecting to. 

 

The MX's are running MX 13.28

PhilipDAth
Kind of a big deal
Kind of a big deal

The tricky thing I can see with operating an MX in concentrator mode is - how can you tell what is an internal IP?  Normally anything coming in the "WAN" port is external - but with a single interface there is no inside or outside interface.

 

I don't know for sure, but considering the single NIC issue, I'm going to say this sounds like normal behaviour given your configuration.

I guess technically it should know the RFC1918 addressing and know that they are private addresses.

 

I might give it a go on the weekend switching the client tracking to MAC address to see what happens, I believe this switch will clear all client history and data. 

 

My real concern is the device utilisation, I'm worried if we see the device getting to 100% that Meraki will look at the client count and blame that as 'connected clients' even though our network has under 400 staff / devices across the branches. 

 

Thanks for your help Phillip, I'll let you know what outcome the tracking switch does.

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

That is reasonable with regard to RFC1918.  Perhaps you should open a case with support.  Maybe this is a bug.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels