Boundary groups data is incorrect

Question

Hi all,
I'm trying to make use of the Boundary Groups information as displayed in collection memberships, the problem is the data is inaccurate. I have two Boundary Groups set up; one for our intranet and one for our VPN. I only use IP ranges for both, and there is no overlap between the two. When I enable the Boundary Group(s) column for any given collection display in the console, I have many machines that report as being in both groups. I can accept that there are systems that are in our intranet who also have connected to the VPN for some reason, but there are many machines that cannot ever have connected to the VPN, yet still report as being in that boundary group. This is further complicated by the fact that if I look at the IP addresses of any of these systems in the properties for that object, there is no record of it ever having an IP in our VPN subnets. Has anyone else come across this who can give me some guidance on why the data doesn't match up?

Thanks

Answer 1

@John Biggston
1)Are your intranet boundary and VPN boundary separately placed in different boundary groups? If not, the error you described above may also occur.
2)A client is connected via VPN reports both the local network as well as the VPN network in inventory, in some cases the local network of VPN client may have the same IP address as the intranet client. Starting from the 2006 version, you can choose to directly create the VPN boundary type to avoid this situation.
There are two articles that provide more detailed instructions:
https://www.reddit.com/r/SCCM/comments/gs6x8r/vpn_boundaries_local_home_networks/
https://learn.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/boundaries#vpn
3) >there is no record of it ever having an IP in our VPN subnets.
IP address is collected by two different things in ConfigMgr: heartbeat discovery and hardware inventory. You may check whether heartbeat discovery and hardware inventory are enabled.

---

If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi SunnyNiu,
Thanks for your response.

1. I have many boundaries, but only two Boundary Groups. All of my boundaries are in one of the two BG's and there is no overlap between the boundaries or the BG's.

2) I have many machines that report multiple IP addresses, that's fine and expected, however, the IP addresses don't always match the Boundary Group membership as shown in the console.

As an example:
Machine1 reports IP Addresses of 10.40.X.X which is in our VPN Boundary, and 192.168.X.X, (so obviously on a home network with VPN running), and yet Boundary Group(s) shows it as being in both our Intranet Boundary and our VPN boundary, which is not accurate.

I have hundreds of machines like this. I thought that it might be because we re-organized the boundaries in the boundary groups, but that was well over two weeks ago and we run HW inventory every 3 days, and Heartbeat every day.

I'm happy to supply more information as required. I'd love to get this solved as I need to make use of the BG information, but I need it to be accurate.

Answer 3

@John Biggston

Machine1 reports IP Addresses of 10.40.X.X which is in our VPN Boundary, and 192.168.X.X, (so obviously on a home network with VPN running), and yet Boundary Group(s) shows it as being in both our Intranet Boundary and our VPN boundary, which is not accurate.

We would like to confirm with you whether your intranet IP address range includes 192.168.X.X?

I thought that it might be because we re-organized the boundaries in the boundary groups, but that was well over two weeks ago.

The data of Boundary group(s) updates when the client makes a location request to the site, or at most every 24 hours.
As I mentioned above, you may also directly create a VPN boundary type to avoid this situation. You can refer to the following article for detailed steps:https://learn.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/boundaries#vpn

---

If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

HI SunnyNiu,
I can confirm that our intranet IP ranges do not include 192.168 or any of the home IP address ranges we have encountered. I have gone over our boundary ranges several times to ensure there is no overlap, and that no IP addresses are included that are not in our internal boundaries.

I will look into the VPN boundary type, however that doesn't address this issue. This misrepresentation of the BG information only happens to involve a VPN in my site, it could easily be a remote site. Either way, the information is simply not accurate. Is there a log file on the server that records the IP address information and may point to how the server is classifying the BG membership?

Answer 5

@John Biggston
There is no specific log file that records IP address information on the server.
You may query the IP address through the following SQL statement:

SELECT LEFT(IPAddress0, LEN('%.%.%.%.%.%.%') - patIndex(',', IPAddress0)) AS [IP Address], DNSHostName0 AS [Host Name]  
FROM v_GS_NETWORK_ADAPTER_CONFIGUR  
WHERE   IPAddress0 IS NOT NULL  

---

If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.