Unexpected Asset combination behaviour - Nexpose On Prem

A number of our network devices with multiple IPs are causing unusual behaviour with regards to asset linking.

In an example case, we have a Cisco Firewall with 4 sections, each with a management interface and associated IP (and differing configuration). They all share the same “Cisco UUID” as the Unique identifier.

The Discovery scan generates 4 unlinked Assets, the Unique ID is unpopulated as it would require authentication which this scan type doesn’t support.

The full Vulnerability Scan then scans each of these 4 linked assets, and a unique “node” scan result is created for each. Each of these node results differs only on the IP address. These 4 nodes however link back to a single 5th (separate to the 4 discovery assets) asset. This asset only shows a single IP, which appears to be randomly selected (possibly the last node to finish) out of the 4 possible IPs, and there are no additional IPs listed under the asset entry. At the very least I would have expected all 4 IPs to be listed under the asset entry. The only way I identified this behaviour was via the scan history showing differing IPs.

So the result is: 4, discovered assets with no risk score (1 for each IP) and 1 scanned asset with Risk score, but randomly changes IP, and has no reference to the other 3 IPs at a single point in time.

This seems like a bug? Note that we have Global Asset Linking on.