Meraki

Community

Security Center - 2 different IP addresses in source for same event

Solved
EmilyQuinn
New here
‎Mar 5 2025 5:26 AM
‎Mar 5 2025 5:26 AM

Security Center - 2 different IP addresses in source for same event

We are investigating a large number of blocked events.  When I mouse over the source in Security Center > MX Events, it shows me the IP address, MAC address and OS info, with a link for View Client Details and a filter for Show this client only.  The IP address shown is 10.20.28.21 port 47839, with mac address ending in 1c:7b.   When I click on  View client details, the client IP address is different - 10.20.18.47.  Both these IPs are statically set, with the .21 address being a multifunction printer and the .47 addressing being a vulnerability management scanner appliance from our MSP.  The mac address shown as associated with .21 is the correct mac for the device using the .47 address.  Any idea why this might be showing up this way?

0 Kudos
1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 5 2025 7:36 AM
‎Mar 5 2025 7:36 AM

That issue has always been present. I can find about a million of these logs per week : 

 

RaphaelL_0-1741188830838.png

Our scanner is 2.2.2.2 and the remote target is a Meraki MS switch 1.1.1.1.  The source and destination are inverted so SecurityCenter reports the wrong IP to the wrong client description. It shows that 2.2.2.2 is the MS switch , which is false. 

 

I opened a couple tickets about Security Center issues in the past and I don't think I have seen any updates / improvements about this page in years. Nothing was ever fixed so I stopped bothering about it.

 

Your issue might be slightly different, but I just wanted to say that issues with reporting are frequent with SecurityCenter in my experience.

View solution in original post

2 Replies 2
michalc
Meraki Employee
Meraki Employee
‎Mar 5 2025 6:44 AM
‎Mar 5 2025 6:44 AM

Hi There!

Vulnerability scanners often simulate traffic, including spoofing source IPs, to test network responses. It’s conceivable that your scanner at 10.20.18.47 is generating traffic with a spoofed source IP of 10.20.28.21 (the printer’s address) as part of its testing. The MX would log the spoofed IP in the event, but "View Client Details" would still point to the scanner’s real IP based on its MAC. You might want to review the scanner’s configuration or logs to see if it’s intentionally sending traffic from 10.20.28.21. Perhaps disconnect the scanner for a while and see if the logs are still there.
If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 5 2025 7:36 AM
‎Mar 5 2025 7:36 AM

That issue has always been present. I can find about a million of these logs per week : 

 

RaphaelL_0-1741188830838.png

Our scanner is 2.2.2.2 and the remote target is a Meraki MS switch 1.1.1.1.  The source and destination are inverted so SecurityCenter reports the wrong IP to the wrong client description. It shows that 2.2.2.2 is the MS switch , which is false. 

 

I opened a couple tickets about Security Center issues in the past and I don't think I have seen any updates / improvements about this page in years. Nothing was ever fixed so I stopped bothering about it.

 

Your issue might be slightly different, but I just wanted to say that issues with reporting are frequent with SecurityCenter in my experience.

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.