IP Sharing Detected

SOLVED
Shadius
Building a reputation

IP Sharing Detected

Hi all,

 

I've recently started receiving alerts of IP sharing after a power outage.  It goes on to say "NAT has been detected on 1 client in the...," etc.  I'm not sure what it means exactly.  Prior to the abrupt power outage, I've never received these alerts before. Can someone educate me, please?

 

Thanks in advance.

1 ACCEPTED SOLUTION
EJN
Building a reputation

Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).

 

Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.

Esteban J Nunez
School and Church
K-12 Education

View solution in original post

17 REPLIES 17
EJN
Building a reputation

Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).

 

Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.

Esteban J Nunez
School and Church
K-12 Education

View solution in original post

Shadius
Building a reputation

@EJN 

 

Thank you! I will try that.

Dunky
Getting noticed

There has got to be another cause to be generating literally hundreds of alerts across all sites.  Any ideas anyone?

mcgruff
Conversationalist

@Dunky

 

What hardware are you guys on? We're using MS250-24Ps and the firmware version is MS 14.32

 

Dunky
Getting noticed

@mcgruff 

 

MS210-24P

14.32

 

Same latest FW versions for our network Meraki switches. We are set to auto update switch FW. 

We are seeing this on two network subnets, started all of the sudden this week. I checked the two dhcp servers on each site’s subnet AD controllers. I don’t think I have multi site DHCP issues, I think its the Meraki’s latest switch FW update… we had to turn off this alert. Waiting on Meraki to acknowledge the firmware update bug

Dunky
Getting noticed

I have had alerts now from a subnet that has all static IPs on it so its deffo not related to duplicate addresses issued by DHCP

Dunky
Getting noticed

@ospsms have you opened a case with Meraki?

Would be good to get some confirmation of a firmware related issue as the number of alerts is just crazy.

Dunky
Getting noticed

I noticed a new alarm type in Network-wide>Alerts that appears to relate to this:

Dunky_0-1635515348625.png

Its appeared on my MX85 running 16.8.

If enabled, options are ASAP, daily or weekly.

Or you could disable - I cannot recall whether or not it was enable by default.

 

 

 

WirelesslyWired
Meraki Employee

This is a function that was added to MS14 on a few specific switches. It watches traffic for anomalous behavior that would indicate a device is NATing clients. The intention was to try and help people identify rogue access points that are NATing and catching clients that are using VMs that may be performing NAT to the host address. We are working on producing documentation but as of today, I would recommend daily alerts, as if you have misbehaving or oddly behaving clients, it can produce false positives due to the nature of fingerprinting.  

CCIEw# 45253 / CWNE# 249 / Senior Technical Marketing Engineer - Meraki MS Product

Ahh yes, its in the switch section of the alerts, I had forgotten that this particular network was running later switch firmware to my others.

 

easy to do, the ui could use a little modernizing! 

CCIEw# 45253 / CWNE# 249 / Senior Technical Marketing Engineer - Meraki MS Product
Shadius
Building a reputation

Yes, I did notice this function when I upgraded the firmware for the switches.

 

Thank you for the explanation and suggestion @WirelesslyWired 

 

It seems that cycling the port has stopped the alerts also. Thank you @EJN 

Is there any documentation available on this yet?

I've had over 600 alerts today across a dozen sites so it can't be related to duplicate IP addresses. My DHCP server is an MX at each site. 

Dunky
Getting noticed

I'm not convinced its related to duplicate IPs due to the volume and geographic spread I am seeing,.

Could it be where a client has both a Wifi and ether connection?

 

 

Can you propose troubleshooting steps? We're seeing dozens of nat detection alerts on one site but not on others (Same switch, same firmware, same topology on all sites)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels