How to manage duplicate IP addresses

Hello Teppo,

You can configure the default behavior in the System > Settings > Behavior page. For the Port Scan All IPs parameter, setting it to Disabled will set it to disabled by default in future discovery scans. However, this applies to port scans and does not actually discover the IP addresses. The setting you are looking for is Bypass Interface Inventory, which can only be disabled on a per device basis or by checking the checkbox in the Discovery Session before the devices are discovered. We do not have a global setting for this specific parameter. 

To delete the IP address from a device, in the Properties tab for the device when looking at the classic Device Properties, select the IP you want to delete under IP address and then click on the trash icon. Keep in mind that you cannot delete IPs associated with an interface.

As long as the duplicate IP is not the primary IP on multiple devices, there shouldn't be any issues and normally you should be able to ignore this entirely. What event are you getting that is referencing these duplicate IPs?

Antonio Andres

Principal Technical Support Engineer | ScienceLogic

Hello Teppo,

Thanks for the update. I spoke to the Product Manager for that PowerPack and they explained the intent behind the event policy is that the daily maintenance checks the IPs in the message collector's databases to check for duplicate devices. SL1 uses the secondary IP addresses for devices to match SNMP trap and Syslog messages if the primary IP is not in the trap or syslog packet. If there are duplicate IPs, it can cause issues with matching the message to the correct device. 

As the IPs are associated with interfaces, you cannot delete them from SL1. To address this, please select one of the following options:

1. Move one of these firewalls to a different CUG with a different message collector; or limit the MC collector's CUG membership so that the firewalls are not aligned to the same message collector.
2. Remove the IP from one of the devices using SQL and uncheck the Scan All IPs option for that device so that it does not return.
3. Suppress this event on the device, assuming the SNMP trap and syslog issue I described above is not a concern for these particular devices.

Antonio Andres

Principal Technical Support Engineer | ScienceLogic

Hi Antonio,

thanks for response.

Event Policy is "Message Collector managing devices with same secondary IP". Of course I can disable that EP totally though all those messages will be in Logs still, and there are plenty of those. And I tend to believe that there is a reason for this EP.

I know that technically per se it is not a huge issue, just lots of events, when having lots of clustered firewalls with lots for common IPs. 

Now I am a bit confused about port/interface definitions in SL1. 

• Interface scan = interface scan, but also IP scan? If enabling Bypass Interface Inventory, then no updates for any changes in interfaces will be done?
• port scan = TCP port scan and can be then defined if scanning for each IP or not

Well, you can delete those IPs (in mysql) but seems that they just popup again and again. So in reality it looks like there is no way to disable that feature per devices but still continue with normal interface monitoring.

Hello Teppo,

That event policy is not one I am familiar with. Can you tell me which PowerPack it came from, or is it a custom event policy?

Antonio Andres

Principal Technical Support Engineer | ScienceLogic