Network Policy Server VPN authentication weird ip address

Announcer
Getting noticed

Network Policy Server VPN authentication weird ip address

All my clients who vpn in are authenticated also through our Network Policy Server.  When I look in the event viewer, all the requests have an NAS ipv4 of 6.233.169.224 address.  Is this something from Meraki?  When I look it up it is an address in Colorado.  Should I be concerned about this?6.233.pngvpn2.png

7 REPLIES 7
Nash
Kind of a big deal

I took a quick look at the NPS logs for a client of mine. Their requests also originate from a 6.0.0.0/8 IP address. I'd be willing to bet that this is due to communication with the Meraki cloud but I have no proof.

jdsilva
Kind of a big deal

For some reason I've yet to determine, Meraki devices (not sure which, but many for sure) seem to use a 6. address internally for "something". 

 

What I can't figure out is why they're using IP's in a range owned by the US Army Intelligence and Security Command. 

 

Yes, that's right, Meraki devices appear to be hardcoded with an IP owned by a US intelligence service. 

 

image.png

 

 

image.png

kYutobi
Kind of a big deal

@jdsilva 

😲

Enthusiast
jdsilva
Kind of a big deal

I have an MV72 that displays this behavior too. I have both the wired and wireless interfaces active on it, and it generates IP conflicts from time to time. I never posted about it here, or opened a case, but I did throw it out to the Twitterverse to for comments.

 

https://twitter.com/jdsilva/status/1118719991036010496

 

 

Announcer
Getting noticed

Seems like I've opened up a can of worms!  I guess I'm not being hacked and it's ok for now.

Tony-Sydney-AU
Meraki Employee
Meraki Employee

Hello everyone,

 

Hope you're doing great!

 

This is a old discussion but since I've seen a number of cases on Meraki Support I decided to give this topic a bump up.

 

TL/DR: if you seen traffic like RADIUS, Netflow, SYSLOG, access requests, etc coming from your MX with IP 6.x.y.z it's ok if your MX is in Pass Through mode or it just have one single VLAN.

 

According to this official document [1], MX devices which operate in Pass-through mode or just have on single VLAN pick an address from range 6.x.y.z only for certain types of traffic. "When in Passthrough or Routed/NAT mode in Single LAN the MX will source traffic from a 6.X.X.X address for services such as Syslog, Netflow, RADIUS access requests and potentially others." [1]

 

Reference:

[1] https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian...

Meraki also uses a public IP in the NAS field when AP's and Switches probes the radius server to see if it is alive. Meraki also uses public IPs for BGP router ID's when enabling BGP and for the APs when they are in mesh.

 

It's really strange to see these public IPs show up at seemingly random places.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels