Scanner IP Changed
A scanner is presenting a different source IP than its bound_ip and has recent failed-auth attempts. Causes: NAT change, host moved networks, or key replay from a different segment.
How to
If the IP change is legitimate
- Confirm with the network owner that the scanner host moved
- Choose "Release IP binding" — the next successful heartbeat re-establishes binding from the new IP
If the IP change is suspicious
- Treat as potential key compromise — Regenerate Token to invalidate the old key
- Investigate Audit > Auth for the failed auth attempts
Gotchas
- Release IP binding zeroes failed_auth_count; investigate via audit logs BEFORE clearing if you suspect compromise.
- A scanner with no bound_ip (initial provisioning) cannot trigger this class — the binding has to have been set first.
API calls (1)
| Method | Path | Description |
|---|---|---|
| POST | /api/health/job-errors/:stateId/repair | action=release_binding | regenerate_token |
Related
- Job Errors Overview — Category model
- Auth Audit — Investigate failed-auth attempts