Dashboard SW bug: Cloning a Config Template "looses" Site-to-Site VPN settings

Solved
AndreasE
Getting noticed

Dashboard SW bug: Cloning a Config Template "looses" Site-to-Site VPN settings

Yesterday, we cloned our Config Template called "Father" into a new Template called "Son" (they both differ in just one network mask of a VLAN-ID).

 

Everything worked well apart from the fact that the newly cloned Template called "Son" did not carry the same Site-to-Site VPN settings (specifically "Type" = "Spoke" as well as the "Hub" setting) than the old parent Template called "Father".

 

We recognized too late that the newly cloned Template "Son" was set back to the default value which seemed to be "Type" = "Off" which -- as a "knock-on effect" -- did cause serious routing issues to two networks that have been bound to "Son" .

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

From your first link it says:

 

"While Configure > Addressing & VLANs > VLANs is set to "Disabled", all bound security appliances will use the same subnet. This allows for a high level of consistency across all sites, but it inherently disallows the use of Site-to-site VPN"

 

@CameronMoody  he does have a point about the documentation failing to mention that cloning a template disables AutoVPN.

 

I agree with you about the Configuration Sync function.  Back in the "old days" there didn't use to be combined networks, but the feature has failed to keep up with dashboard advances, and is now next to useless (IMHO).

View solution in original post

7 Replies 7
AndreasE
Getting noticed

See the replies from Meraki Support:

 

1. "Site-to-site VPN cannot be enabled for a security appliance template unless VLANs are enabled, and at least one VLAN emits unique subnets. Are you running unique subnets in your template VLAN settings?"

 

Because my answer was "sure", I received a 2nd reply:

 

2. "By default cloning templates sets VPN to off to prevent subnet overlap within the Organisation."

 

And see Meraki webpages:

https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Managing_Multiple...

https://documentation.meraki.com/zGeneral_Administration/Organizations_and_Networks/Cloning_Networks...

PhilipDAth
Kind of a big deal
Kind of a big deal

I've had that happen as well.  Luckily it is very quick to fix (once you know about it).

AndreasE
Getting noticed

Hi Philip,

 

tx for your confirmation. What I don't like about Meraki products and support:

1. "known issues": they never tell you, but just keep it under the blanket

2. software bugs: no bug bounty program, instead you get silly reply questions about settings they should better know about than we do (why are they asking for a device ref when they never look into the device whilst working on a case?)

3. really bad or aged documentation on the web

4. instead of an error message or at least a warning, the dashboard falls back into a default setting and doesn't tell you about the risks

Rgds, Andreas

PhilipDAth
Kind of a big deal
Kind of a big deal

I agree with some of what you say.

 

>software bugs: no bug bounty program

 

Here are the details on the bug bounty program:

https://bugcrowd.com/ciscomeraki

 

>really bad or aged documentation on the web

 

I 100% disagree with you here.  Could you give an example of something tou thing is bad or aged?  We can ask to have someone update it.

 

 

AndreasE
Getting noticed

https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Managing_Multiple...

 

https://documentation.meraki.com/zGeneral_Administration/Organizations_and_Networks/Cloning_Networks...

 

both pages don't tell you the following:

 

  1. Site-to-site VPN cannot be enabled for a security appliance template unless VLANs are enabled, and at least one VLAN emits unique subnets.
  2. By default cloning templates sets VPN to off to prevent subnet overlap within the Organisation.
  3. Config sync doesn't work for "network tags" or "Template networks" (containing an MX appliance and a MS switch)
PhilipDAth
Kind of a big deal
Kind of a big deal

From your first link it says:

 

"While Configure > Addressing & VLANs > VLANs is set to "Disabled", all bound security appliances will use the same subnet. This allows for a high level of consistency across all sites, but it inherently disallows the use of Site-to-site VPN"

 

@CameronMoody  he does have a point about the documentation failing to mention that cloning a template disables AutoVPN.

 

I agree with you about the Configuration Sync function.  Back in the "old days" there didn't use to be combined networks, but the feature has failed to keep up with dashboard advances, and is now next to useless (IMHO).

CameronMoody
Meraki Employee
Meraki Employee

Hi @AndreasE,

 

Hoping I can help clarify a few things and maybe improve our documentation a bit while we're at it.

 

 

  1. Site-to-site VPN cannot be enabled for a security appliance template unless VLANs are enabled, and at least one VLAN emits unique subnets.
  2. By default cloning templates sets VPN to off to prevent subnet overlap within the Organisation.
  3. Config sync doesn't work for "network tags" or "Template networks" (containing an MX appliance and a MS switch)

1. The "VLANs enabled" bit is mentioned in the "IP Address Range Allocations" section, as @PhilipDAth pointed out, but I agree with you that the "emits unique subnets" bit could be a bit more clear.

 

2. This is not mentioned, and I agree that it should be.

 

I updated this section of the documentation with a couple notes to make these requirements a bit more clear. 

 

3. As @PhilipDAth mentioned, the inability to clone combined networks is currently a shortcoming of the config sync feature. I can't personally speak much to our plans to address this, but we're aware that it is an issue.

 

 

1. "known issues": they never tell you, but just keep it under the blanket

2. software bugs: no bug bounty program, instead you get silly reply questions about settings they should better know about than we do (why are they asking for a device ref when they never look into the device whilst working on a case?)

3. really bad or aged documentation on the web

4. instead of an error message or at least a warning, the dashboard falls back into a default setting and doesn't tell you about the risks

1. It's not our intent to hide known issues, it's just difficult to always ensure that we're presenting them in a way that is helpful. Our support engineers use the same documentation site that our users do and help keep it up-to-date, so if it's not recorded, it is almost certainly not an intentional omission. I appreciate feedback like this when you notice we're missing something.

 

3. I'm personally working on cleaning up as much as we can. I agree that some items are a bit dated and deserve some attention. If something stands out to you as particularly misleading or inaccurate, I'll take a look if you let me know.

 

I realize that doesn't address everything you were concerned about, but hopefully that helps a bit with the things I'm able to speak to.

 

Thanks for the feedback!

Cameron Moody | Product Manager, Cisco Meraki
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels