meraki: ERROR > appliance, updateNetworkApplianceTrafficShapingVpnExclusions - 400 Bad Request, {'errors': ['Configuring Major Application VPN exclusion rules requires the SDWAN+ license']}
Local Breakout by application requires this enhanced license. Local breakout by IP does not.
But the function in the library doesn't seem to care much. It seems to try to configure major application rules even when there's no code to do so.
Anyone know of any workarounds?
Do you have the SD-WAN plus license? If you don't have it, you won't be able to enable it.
Requirements:
The following are the requirements to utilize this feature in a network:
Meraki AutoVPN support: This feature requires the Meraki MX on MX 15+ series firmware
Non-Meraki VPN support: This feature requires the Meraki MX on MX 18.1+ series firmware
Minimum License Type: Secure SD-WAN Plus or Advance Teleworker
All other requirements listed for IP/URL based Local Internet Breakout
https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)
I'm not trying to enable Application Exclusion, I'm trying to write a script using the Meraki Python library for VPN exclusion by IP, which is a feature I'm already using on several networks
And can you share the script so I can try to find the error? Just to make it clear that the previous question was because you didn't mention that you have the license. 😉
This is an example script.
import requests
# Replace with your own API key and Meraki organization ID
api_key = "YOUR_API_KEY"
org_id = "YOUR_ORG_ID"
# Define the API endpoint for VPN exclusions
url = f"https://api.meraki.com/api/v1/organizations/{org_id}/appliance/vpn/exclusions"
# Example payload for application-based exclusion
payload = {
"name": "Office 365 Suite",
"type": "application",
"value": "office365",
}
# Make the API request
headers = {"X-Cisco-Meraki-API-Key": api_key}
response = requests.post(url, json=payload, headers=headers)
if response.status_code == 201:
print("Exclusion rule added successfully!")
else:
print(f"Error: {response.status_code} - {response.text}")
I'll see if I can give this a shot
What is the payload that you are sending ?
I'm using the Python Library and only using the 'custom' payload.
dashboard.appliance.updateNetworkApplianceTrafficShapingVpnExclusions(network_id, custom=[{'protocol': 'tcp', 'destination': '192.168.3.0/24', 'port': '8000'}])
Put this example for reference
I understand the Application exclusion requires the SDWAN+ license, but I shouldn't need it to execute code that isn't deploying that feature.
According to the endpoint docs schema definition, it looks like that both "custom" and "majorApplications" are required fields. So I don't think you can use that endpoint without also setting "majorApplications". And since that is a SDW+ feature, I guess it would fail for you.
If you pass it with an empty list, does that make a difference? I.e.
response = dashboard.appliance.updateNetworkApplianceTrafficShapingVpnExclusions(network_id,
custom=[{'protocol': 'tcp', 'destination': '192.168.3.0/24', 'port': '8000'}],
majorApplications=[]
)
It didn't seem to appreciate an empty list much, lol. Had the same error
Does your Spoke site have a Default Route configured on the VPN?
The L3 VPN Exclusion configuration is available under Security & SD-WAN > SD-WAN and Traffic Shaping or Teleworker Gateway > Traffic Shaping.
The configuration option will appear if:
There's a default route at one of the hubs shared out via SDWAN