Hey All we are facing a few issues once we connect sites to secure connect for internet traffic, but issues are immediately resolved once the network is disconnected.
When a site is connected and internet traffic is going through the service connectors we've identified a few issues with devices being able to communicate with public management servers. For example, meraki cameras get an alert that there configuration is out of sync, yet camera feed is working. Also are artic wolf appliances are unable to communicate with their services. There are no blocks indicated in logs, we also took the additional step to whitelist all IP's and URLS in the DNS,WEB and cloud firewall polices.
The issue seems to be related to the lack of a consistent external ip for egressing traffic from the devices when egressing the internet though the secure connect service connectors out to the internet.
TAC Advised to bypass the traffic to the required destination, which does resolve the issue.
PROBLEM: We've identified over 50 subnets we must bypass for a laundry list of application that aren't working and having over 100+ MX sites this is time consuming , so I dug into the meraki API templates but can't seem to find the required PUT to update the list on each MX. Why do we need an SDWAN+ license when the option is available in the web interface?
NOTHING FANCY:
import requests
API_KEY = "xxx"NETWORK_ID = "xxx" # Replace with your network ID
headers = {
"Content-Type": "application/json",
"Accept": "application/json",
"X-Cisco-Meraki-API-Key": API_KEY
}
## additional destination removed
data = {
"custom": [
{"protocol": "any", "destination": "x.x.x.x/32"},
{"protocol": "any", "destination": "x.x.x.x/19"}
response = requests.put(BASE_URL, headers=headers, json=data)
print(response.status_code)
print(response.json())
########
{'errors': ['Configuring Major Application VPN exclusion rules requires the SDWAN+ license']}
