Meraki

Community

IP Sharing Detected

Solved
Shadius
Building a reputation
‎Oct 25 2021 10:33 PM
‎Oct 25 2021 10:33 PM

IP Sharing Detected

Hi all,

 

I've recently started receiving alerts of IP sharing after a power outage.  It goes on to say "NAT has been detected on 1 client in the...," etc.  I'm not sure what it means exactly.  Prior to the abrupt power outage, I've never received these alerts before. Can someone educate me, please?

 

Thanks in advance.

0 Kudos
1 Accepted Solution
EJN
A model citizen
‎Oct 26 2021 7:20 AM
‎Oct 26 2021 7:20 AM

Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).

 

Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.

Esteban J Nunez
School and Church
K-12 Education

View solution in original post

20 Replies 20
EJN
A model citizen
‎Oct 26 2021 7:20 AM
‎Oct 26 2021 7:20 AM

Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).

 

Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.

Esteban J Nunez
School and Church
K-12 Education
In response to EJN
Shadius
Building a reputation
‎Oct 26 2021 7:18 PM
‎Oct 26 2021 7:18 PM

@EJN 

 

Thank you! I will try that.

0 Kudos
In response to EJN
Dunky
Head in the Cloud
‎Nov 11 2021 12:21 PM
‎Nov 11 2021 12:21 PM

There has got to be another cause to be generating literally hundreds of alerts across all sites.  Any ideas anyone?

In response to Dunky
mcgruff
Conversationalist
‎Nov 11 2021 12:30 PM
‎Nov 11 2021 12:30 PM

@Dunky

 

What hardware are you guys on? We're using MS250-24Ps and the firmware version is MS 14.32

 

In response to mcgruff
Dunky
Head in the Cloud
‎Nov 11 2021 1:16 PM
‎Nov 11 2021 1:16 PM

@mcgruff 

 

MS210-24P

14.32

 

0 Kudos
In response to Dunky
ospsms
Here to help
‎Nov 14 2021 11:00 AM
‎Nov 14 2021 11:00 AM

Same latest FW versions for our network Meraki switches. We are set to auto update switch FW. 

0 Kudos
In response to Dunky
ospsms
Here to help
‎Nov 14 2021 9:36 AM
‎Nov 14 2021 9:36 AM

We are seeing this on two network subnets, started all of the sudden this week. I checked the two dhcp servers on each site’s subnet AD controllers. I don’t think I have multi site DHCP issues, I think its the Meraki’s latest switch FW update… we had to turn off this alert. Waiting on Meraki to acknowledge the firmware update bug

In response to ospsms
Dunky
Head in the Cloud
‎Nov 14 2021 10:54 AM
‎Nov 14 2021 10:54 AM

I have had alerts now from a subnet that has all static IPs on it so its deffo not related to duplicate addresses issued by DHCP

In response to ospsms
Dunky
Head in the Cloud
‎Nov 14 2021 10:57 AM
‎Nov 14 2021 10:57 AM

@ospsms have you opened a case with Meraki?

Would be good to get some confirmation of a firmware related issue as the number of alerts is just crazy.

0 Kudos
Dunky
Head in the Cloud
‎Oct 29 2021 6:51 AM
‎Oct 29 2021 6:51 AM

I noticed a new alarm type in Network-wide>Alerts that appears to relate to this:

Dunky_0-1635515348625.png

Its appeared on my MX85 running 16.8.

If enabled, options are ASAP, daily or weekly.

Or you could disable - I cannot recall whether or not it was enable by default.

 

 

 

0 Kudos
WirelesslyWired
Meraki Employee
Meraki Employee
‎Oct 29 2021 7:58 AM
‎Oct 29 2021 7:58 AM

This is a function that was added to MS14 on a few specific switches. It watches traffic for anomalous behavior that would indicate a device is NATing clients. The intention was to try and help people identify rogue access points that are NATing and catching clients that are using VMs that may be performing NAT to the host address. We are working on producing documentation but as of today, I would recommend daily alerts, as if you have misbehaving or oddly behaving clients, it can produce false positives due to the nature of fingerprinting.  

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
In response to WirelesslyWired
Dunky
Head in the Cloud
‎Oct 29 2021 8:05 AM
‎Oct 29 2021 8:05 AM

Ahh yes, its in the switch section of the alerts, I had forgotten that this particular network was running later switch firmware to my others.

 

0 Kudos
In response to Dunky
WirelesslyWired
Meraki Employee
Meraki Employee
‎Oct 29 2021 8:35 AM
‎Oct 29 2021 8:35 AM

easy to do, the ui could use a little modernizing! 

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
0 Kudos
In response to WirelesslyWired
Shadius
Building a reputation
‎Oct 29 2021 3:42 PM
‎Oct 29 2021 3:42 PM

Yes, I did notice this function when I upgraded the firmware for the switches.

 

Thank you for the explanation and suggestion @WirelesslyWired 

 

It seems that cycling the port has stopped the alerts also. Thank you @EJN 

0 Kudos
In response to WirelesslyWired
Dunky
Head in the Cloud
‎Nov 9 2021 12:56 PM
‎Nov 9 2021 12:56 PM

Is there any documentation available on this yet?

I've had over 600 alerts today across a dozen sites so it can't be related to duplicate IP addresses. My DHCP server is an MX at each site. 

In response to Dunky
Dunky
Head in the Cloud
‎Nov 11 2021 12:23 AM
‎Nov 11 2021 12:23 AM

I'm not convinced its related to duplicate IPs due to the volume and geographic spread I am seeing,.

Could it be where a client has both a Wifi and ether connection?

 

 

In response to WirelesslyWired
mcgruff
Conversationalist
‎Nov 11 2021 11:45 AM
‎Nov 11 2021 11:45 AM

Can you propose troubleshooting steps? We're seeing dozens of nat detection alerts on one site but not on others (Same switch, same firmware, same topology on all sites)

In response to WirelesslyWired
Lonestarr
Here to help
‎May 26 2022 7:01 AM
‎May 26 2022 7:01 AM

Has Meraki produced documentation for this yet?  We just turned on a number of alerts for our network and are tweaking them to see what works for us.  I read this thread earlier and we decided to get weekly alerts.  For this week we have 3 alerts at 3 different offices.  One is here at our HQ and I was able to find who it is and verify there was no issue.  But the other two are clear across the country, and one of them is on wifi so I can't cycle the port as suggested above.  How do we troubleshoot these alerts to determine whether it's a false positive or a legit concern, without physically going to the device and looking for vmware (which shouldn't be on it based on group policies anyway)?

0 Kudos
CraigCummings
Getting noticed
‎Mar 31 2022 7:04 AM
‎Mar 31 2022 7:04 AM

"Modern operating systems use a number of tracking prevention methods that can resemble the behaviour of many hosts behind a single NAT IP. Therefore NAT detection may also cause alerts for legitimate traffic that may not be related to NAT. 

It is recommended to tune the alert frequency to a suitable value for your network, then investigate to determine whether further action should be taken."

 

So, it might be real, might be false positive...and we're supposed to go investigate them all?  I'm not sure this is very helpful. 

0 Kudos
In response to CraigCummings
Dunky
Head in the Cloud
‎Apr 1 2022 4:43 AM
‎Apr 1 2022 4:43 AM

Agreed, I've turned it off.

About as useful as the warning of clients with bad WiFi connection - tells you AP's and how many clients (not sure I believe it as its always 5) but not which ones!

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.