AMP Internal Application Timeouts

Solved
RogerO
Here to help

AMP Internal Application Timeouts

We have several internal applications that end users reach over the Meraki VPN tunnels. When we enable AMP we get timeouts on several different parts of the application. This is not a bandwidth issue. The moment we bypass AMP users do not have a problem. There is no logs of these connection failures that I can find on the MX appliance. Support has suggested packet captures but the problems occur so fast that I have to get the users back into the application fast so while i'm waiting to get those I wanted to reach out to the community. Some of the connections are over ports 21/22/80/81/443/8443 

 

Thank you 

1 Accepted Solution
jdsilva
Kind of a big deal

If it is AMP blocking then it _should_ appear under Security appliance > Security centre under the Events tab. Note that I say _should_ ...

 

You could also just whitelist your internal applications in AMP under Security appliance > threat detection. 

 

And last thought, what version are you on? We've had much better AMP performance / results up in version 14.x than in some of the older firmwares.

View solution in original post

12 Replies 12
jdsilva
Kind of a big deal

If it is AMP blocking then it _should_ appear under Security appliance > Security centre under the Events tab. Note that I say _should_ ...

 

You could also just whitelist your internal applications in AMP under Security appliance > threat detection. 

 

And last thought, what version are you on? We've had much better AMP performance / results up in version 14.x than in some of the older firmwares.

RogerO
Here to help

Thank you. Yes should and do are a major issue I hope the Meraki team can fix on logging AMP. I will do the firmware upgrade on two of my sites to Beta Code tonight and then add Whitelist again. I was hoping some of you had better whitelist formulas then the default help page which was kinda blah in my thoughts.
jdsilva
Kind of a big deal

I wish I had better whitelist formulas to offer you... 😞

 

 

RogerO
Here to help

learning process for me and my internal apps team which they do not know what URL's they call so that has been fun figuring out. Thank you all for the support I'm still deploying another 20 sites. But this is much smaller then my 2500 site deployment from 2 years ago so lot more manageable.
jdsilva
Kind of a big deal


@RogerO wrote:
my internal apps team which they do not know what URL's they call

I'd act surprised... But I'm not.

 

Man, life would be so much better without developers 🙂

RogerO
Here to help

We could making a drinking game of that. thank you
PhilipDAth
Kind of a big deal
Kind of a big deal

There was a lot of improvements in AMP in the 14.x code.  If you are not using it yet, I would suggest using 14.30.

RogerO
Here to help

Thank you PhilipDAth as the other poster said the same thing I will do the upgrades. 

TEAM-ind
Getting noticed

Still no fixes for several known AMP issues, even with the latest 15.x that you need a support engineer to push.  AMP is not going to be internal application friendly for quite sometime, based upon my experience with our internal SharePoint sites and forms, and a fix still not available in even the lastest beta.

RogerO
Here to help

Can anyone from Meraki please help us out?

TEAM-ind
Getting noticed

Older thread here, but I just wanted to post that Meraki supports states that this is fixed in 15.12: "The issue is fixed in 15.12. "Updated the AMP service to more gracefully handle cases where there are many out-of-order packets. This will result in fewer instances of file downloads failing when AMP is enabled." Please upgrade your MX(es) to 15.13 get the fix."" I have not verified this, but thought it worth sharing, anyway.
RogerO
Here to help

Thank you I will have to check and see. I'm in the middle of sourcefire upgrades at data centers so apple/orange in progress. 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels