IP Sharing Detected

SOLVED
Shadius
Building a reputation

IP Sharing Detected

Hi all,

 

I've recently started receiving alerts of IP sharing after a power outage.  It goes on to say "NAT has been detected on 1 client in the...," etc.  I'm not sure what it means exactly.  Prior to the abrupt power outage, I've never received these alerts before. Can someone educate me, please?

 

Thanks in advance.

1 ACCEPTED SOLUTION
EJN
A model citizen

Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).

 

Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.

Esteban J Nunez
School and Church
K-12 Education

View solution in original post

20 REPLIES 20
EJN
A model citizen

Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).

 

Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.

Esteban J Nunez
School and Church
K-12 Education
Shadius
Building a reputation

@EJN 

 

Thank you! I will try that.

Dunky
A model citizen

There has got to be another cause to be generating literally hundreds of alerts across all sites.  Any ideas anyone?

mcgruff
Conversationalist

@Dunky

 

What hardware are you guys on? We're using MS250-24Ps and the firmware version is MS 14.32

 

Dunky
A model citizen

@mcgruff 

 

MS210-24P

14.32

 

Same latest FW versions for our network Meraki switches. We are set to auto update switch FW. 

We are seeing this on two network subnets, started all of the sudden this week. I checked the two dhcp servers on each site’s subnet AD controllers. I don’t think I have multi site DHCP issues, I think its the Meraki’s latest switch FW update… we had to turn off this alert. Waiting on Meraki to acknowledge the firmware update bug

Dunky
A model citizen

I have had alerts now from a subnet that has all static IPs on it so its deffo not related to duplicate addresses issued by DHCP

Dunky
A model citizen

@ospsms have you opened a case with Meraki?

Would be good to get some confirmation of a firmware related issue as the number of alerts is just crazy.

Dunky
A model citizen

I noticed a new alarm type in Network-wide>Alerts that appears to relate to this:

Dunky_0-1635515348625.png

Its appeared on my MX85 running 16.8.

If enabled, options are ASAP, daily or weekly.

Or you could disable - I cannot recall whether or not it was enable by default.

 

 

 

WirelesslyWired
Meraki Employee
Meraki Employee

This is a function that was added to MS14 on a few specific switches. It watches traffic for anomalous behavior that would indicate a device is NATing clients. The intention was to try and help people identify rogue access points that are NATing and catching clients that are using VMs that may be performing NAT to the host address. We are working on producing documentation but as of today, I would recommend daily alerts, as if you have misbehaving or oddly behaving clients, it can produce false positives due to the nature of fingerprinting.  

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product

Ahh yes, its in the switch section of the alerts, I had forgotten that this particular network was running later switch firmware to my others.

 

easy to do, the ui could use a little modernizing! 

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
Shadius
Building a reputation

Yes, I did notice this function when I upgraded the firmware for the switches.

 

Thank you for the explanation and suggestion @WirelesslyWired 

 

It seems that cycling the port has stopped the alerts also. Thank you @EJN 

Is there any documentation available on this yet?

I've had over 600 alerts today across a dozen sites so it can't be related to duplicate IP addresses. My DHCP server is an MX at each site. 

Dunky
A model citizen

I'm not convinced its related to duplicate IPs due to the volume and geographic spread I am seeing,.

Could it be where a client has both a Wifi and ether connection?

 

 

Can you propose troubleshooting steps? We're seeing dozens of nat detection alerts on one site but not on others (Same switch, same firmware, same topology on all sites)

Has Meraki produced documentation for this yet?  We just turned on a number of alerts for our network and are tweaking them to see what works for us.  I read this thread earlier and we decided to get weekly alerts.  For this week we have 3 alerts at 3 different offices.  One is here at our HQ and I was able to find who it is and verify there was no issue.  But the other two are clear across the country, and one of them is on wifi so I can't cycle the port as suggested above.  How do we troubleshoot these alerts to determine whether it's a false positive or a legit concern, without physically going to the device and looking for vmware (which shouldn't be on it based on group policies anyway)?

CraigCummings
Getting noticed

"Modern operating systems use a number of tracking prevention methods that can resemble the behaviour of many hosts behind a single NAT IP. Therefore NAT detection may also cause alerts for legitimate traffic that may not be related to NAT. 

It is recommended to tune the alert frequency to a suitable value for your network, then investigate to determine whether further action should be taken."

 

So, it might be real, might be false positive...and we're supposed to go investigate them all?  I'm not sure this is very helpful. 

Agreed, I've turned it off.

About as useful as the warning of clients with bad WiFi connection - tells you AP's and how many clients (not sure I believe it as its always 5) but not which ones!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels