- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IP Sharing Detected
Hi all,
I've recently started receiving alerts of IP sharing after a power outage. It goes on to say "NAT has been detected on 1 client in the...," etc. I'm not sure what it means exactly. Prior to the abrupt power outage, I've never received these alerts before. Can someone educate me, please?
Thanks in advance.
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).
Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.
School and Church
K-12 Education
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).
Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.
School and Church
K-12 Education
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There has got to be another cause to be generating literally hundreds of alerts across all sites. Any ideas anyone?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same latest FW versions for our network Meraki switches. We are set to auto update switch FW.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are seeing this on two network subnets, started all of the sudden this week. I checked the two dhcp servers on each site’s subnet AD controllers. I don’t think I have multi site DHCP issues, I think its the Meraki’s latest switch FW update… we had to turn off this alert. Waiting on Meraki to acknowledge the firmware update bug
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have had alerts now from a subnet that has all static IPs on it so its deffo not related to duplicate addresses issued by DHCP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ospsms have you opened a case with Meraki?
Would be good to get some confirmation of a firmware related issue as the number of alerts is just crazy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed a new alarm type in Network-wide>Alerts that appears to relate to this:
Its appeared on my MX85 running 16.8.
If enabled, options are ASAP, daily or weekly.
Or you could disable - I cannot recall whether or not it was enable by default.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a function that was added to MS14 on a few specific switches. It watches traffic for anomalous behavior that would indicate a device is NATing clients. The intention was to try and help people identify rogue access points that are NATing and catching clients that are using VMs that may be performing NAT to the host address. We are working on producing documentation but as of today, I would recommend daily alerts, as if you have misbehaving or oddly behaving clients, it can produce false positives due to the nature of fingerprinting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh yes, its in the switch section of the alerts, I had forgotten that this particular network was running later switch firmware to my others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
easy to do, the ui could use a little modernizing!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I did notice this function when I upgraded the firmware for the switches.
Thank you for the explanation and suggestion @WirelesslyWired
It seems that cycling the port has stopped the alerts also. Thank you @EJN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any documentation available on this yet?
I've had over 600 alerts today across a dozen sites so it can't be related to duplicate IP addresses. My DHCP server is an MX at each site.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not convinced its related to duplicate IPs due to the volume and geographic spread I am seeing,.
Could it be where a client has both a Wifi and ether connection?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you propose troubleshooting steps? We're seeing dozens of nat detection alerts on one site but not on others (Same switch, same firmware, same topology on all sites)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has Meraki produced documentation for this yet? We just turned on a number of alerts for our network and are tweaking them to see what works for us. I read this thread earlier and we decided to get weekly alerts. For this week we have 3 alerts at 3 different offices. One is here at our HQ and I was able to find who it is and verify there was no issue. But the other two are clear across the country, and one of them is on wifi so I can't cycle the port as suggested above. How do we troubleshoot these alerts to determine whether it's a false positive or a legit concern, without physically going to the device and looking for vmware (which shouldn't be on it based on group policies anyway)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Modern operating systems use a number of tracking prevention methods that can resemble the behaviour of many hosts behind a single NAT IP. Therefore NAT detection may also cause alerts for legitimate traffic that may not be related to NAT.
It is recommended to tune the alert frequency to a suitable value for your network, then investigate to determine whether further action should be taken."
So, it might be real, might be false positive...and we're supposed to go investigate them all? I'm not sure this is very helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed, I've turned it off.
About as useful as the warning of clients with bad WiFi connection - tells you AP's and how many clients (not sure I believe it as its always 5) but not which ones!
