100% agree with you. If I have to put anther device in to terminate the VPN connections why have a MX in the first place? If I get to that point, I will just move back to FTD or some other vendor and get rid of the MX outright.
Going off topic, I cant really justify the "cloud" aspect of this anymore. Thats the only thing that makes Meraki unique, but with Cisco hosting FMC/CDO (Juniper Mist/Prisma Cloud etc) this same level can be achieved with other products that are way more stable and can actually do NAT. (been on the wishlist since 2015 that I know of). Sure Prisma cloud isnt as pretty or has as many options as Meraki, but I would choose stability over features anytime, and I feel this should always be the foundation of any vendor devices.
Issues I have specifically with MX line:
1. NAT support ( I know there is some support now with autovpn, but most people have unique subnets already if they are part of your org) I'm talking about Non meraki VPN NAT which lets face it 99% of us will run into network overlap esp with many peers with no recourse other than telling the remote party to NAT to us, or change your IP subnet.
2. AMP/IPS- No indication that its working. No reports, emails, log entries showing that its working as I stated above esp in V18/19. Maybe a bug? I have to rely on endpoint software telling me it blocked something, which means it made it past the firewall.
3. GEO blocking- Again no indication that its working. No logs showing whats blocked etc
4. Logging- Logging in general is horrible. Why Meraki dosent put the systems logs out there for those of us that want to look is beyond me. Following the keep it simple mantra I get it, but a button somewhere to turn it on for those that want to look/see would be great
5. Resource/Utilization- No way to tell CPU/RAM/System utilization other than the summary report which blends all of that together to spit out a number. I have had multiple MXs lock up on me with no way to tell other than calling support and it was due to CPU/RAM etc crashing the system.
6. URL Filtering- As far as I can tell it works, but no easy way to tell whats getting blocked. Logging has improved, but most of the time it didn't log the events, or it was an event burst so you still don't see it as they were dropped in the logs.
7. Mix and match license types (within MX). Not every site needs SD-WAN or Advanced Security licenses. The answer I always get is get a Z3/4 device (Dont get me started on Z4 being licensed like a MX now), but sometimes a remote site has 1gbps internet and those wont work and you have to go with a MX, so they are forcing you to buy unneeded licenses to use auto VPN etc. Only other choice is to setup another org and non-meraki VPN (see issues in original post).
8. FQDN VPN peers do not work (non meraki VPN IKEv2)
9. Support- I have nothing against the support team at all, but I already have a pretty good idea of whats happening when I call support and most of the time its because of a bug, or something I dont have access to. See the logging section. The default answer is do a packet capture which dosent identify if its L3/L7/AMP/IPS/GEO etc and you have to go through one by one and allow/deny to figure it out. I would say 90%+ of all my support calls have been due to bugs that require back-end logs to verify/confirm.
All of these issues are non existent on Cisco FTD/ASA, or Fortigate etc, and I consider them to be core functionally of what makes a firewall a firewall.
