Meraki

Community

Network Policy Server VPN authentication weird ip address

Announcer
Getting noticed
‎May 9 2019 10:30 AM
‎May 9 2019 10:30 AM

Network Policy Server VPN authentication weird ip address

All my clients who vpn in are authenticated also through our Network Policy Server.  When I look in the event viewer, all the requests have an NAS ipv4 of 6.233.169.224 address.  Is this something from Meraki?  When I look it up it is an address in Colorado.  Should I be concerned about this?6.233.pngvpn2.png

7 Replies 7
Nash
Kind of a big deal
‎May 9 2019 10:51 AM
‎May 9 2019 10:51 AM

I took a quick look at the NPS logs for a client of mine. Their requests also originate from a 6.0.0.0/8 IP address. I'd be willing to bet that this is due to communication with the Meraki cloud but I have no proof.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
jdsilva
Kind of a big deal
‎May 9 2019 12:05 PM
‎May 9 2019 12:05 PM

For some reason I've yet to determine, Meraki devices (not sure which, but many for sure) seem to use a 6. address internally for "something". 

 

What I can't figure out is why they're using IP's in a range owned by the US Army Intelligence and Security Command. 

 

Yes, that's right, Meraki devices appear to be hardcoded with an IP owned by a US intelligence service. 

 

image.png

 

 

image.png

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
kYutobi
Kind of a big deal
‎May 9 2019 1:16 PM
‎May 9 2019 1:16 PM

@jdsilva 

😲

Enthusiast
In response to kYutobi
jdsilva
Kind of a big deal
‎May 9 2019 1:54 PM
‎May 9 2019 1:54 PM

I have an MV72 that displays this behavior too. I have both the wired and wireless interfaces active on it, and it generates IP conflicts from time to time. I never posted about it here, or opened a case, but I did throw it out to the Twitterverse to for comments.

 

https://twitter.com/jdsilva/status/1118719991036010496

 

 

http://blog.brokennetwork.ca | @jdsilva
Announcer
Getting noticed
‎May 9 2019 2:05 PM
‎May 9 2019 2:05 PM

Seems like I've opened up a can of worms!  I guess I'm not being hacked and it's ok for now.

Tony-Sydney-AU
Meraki Employee
Meraki Employee
‎Aug 15 2023 12:49 AM
‎Aug 15 2023 12:49 AM

Hello everyone,

 

Hope you're doing great!

 

This is a old discussion but since I've seen a number of cases on Meraki Support I decided to give this topic a bump up.

 

TL/DR: if you seen traffic like RADIUS, Netflow, SYSLOG, access requests, etc coming from your MX with IP 6.x.y.z it's ok if your MX is in Pass Through mode or it just have one single VLAN.

 

According to this official document [1], MX devices which operate in Pass-through mode or just have on single VLAN pick an address from range 6.x.y.z only for certain types of traffic. "When in Passthrough or Routed/NAT mode in Single LAN the MX will source traffic from a 6.X.X.X address for services such as Syslog, Netflow, RADIUS access requests and potentially others." [1]

 

Reference:

[1] https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian...

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to Tony-Sydney-AU
Bucket
Getting noticed
‎Aug 15 2023 2:12 AM
‎Aug 15 2023 2:12 AM

Meraki also uses a public IP in the NAS field when AP's and Switches probes the radius server to see if it is alive. Meraki also uses public IPs for BGP router ID's when enabling BGP and for the APs when they are in mesh.

 

It's really strange to see these public IPs show up at seemingly random places.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.