Meraki Community

Here are two screenshots to show the "connected clients" 

I've only ever used the head ends in NAT mode, and it only shows the source clients (from the LAN or AutoVPN) as being internal clients, everything is what they are accessing.

So you are definitely using VPN concentrator mode?

I assume these public IP address are not internal to your company?

What software version is the concentrator using?

Hi Phillip,

Yep the MX100 pair are configured as "Passthrough or VPN concentrator" mode. Their only purpose is to terminate the 40 odd MX64's I'm deploying in the branches as VPN tunnels. 

Correct, the public addresses in the screenshot are real public IPs that I could only assume our internal clients are reaching and connecting to. 

The MX's are running MX 13.28

The tricky thing I can see with operating an MX in concentrator mode is - how can you tell what is an internal IP?  Normally anything coming in the "WAN" port is external - but with a single interface there is no inside or outside interface.

I don't know for sure, but considering the single NIC issue, I'm going to say this sounds like normal behaviour given your configuration.

I guess technically it should know the RFC1918 addressing and know that they are private addresses.

I might give it a go on the weekend switching the client tracking to MAC address to see what happens, I believe this switch will clear all client history and data. 

My real concern is the device utilisation, I'm worried if we see the device getting to 100% that Meraki will look at the client count and blame that as 'connected clients' even though our network has under 400 staff / devices across the branches. 

Thanks for your help Phillip, I'll let you know what outcome the tracking switch does.

That is reasonable with regard to RFC1918.  Perhaps you should open a case with support.  Maybe this is a bug.