Hi all,
in the Dashboard, I can see this notficiation "Our automated tests show that you have one or more Meraki devices unable to reach our plaform on IP address ranges 216.157.128.0/20 and 158.115.128.0/19."
In my setup I´m using Auto-VPN and the Default-Route is announced/used via the Tunnel to my Hub!
Unfortunately I can`t see the source IP-Address in the FIrewall-Test-Failures.csv report which is used from the MX to the Cloud?! I´ve quite a lot of VLANs configured on the MX (SVI) and I think I´ve heard that the highest one will be used for the Management Traffic, is this correct?
Maybe someone can point me to a documentation which explaines the behaviour?
thanks a lot!
The management traffic from your MX to the Meraki cloud will not use its own AutoVPN tunnel - even though it provides a default route for user traffic (at least - for those VLANs that are VPN = enabled. This traffic will break out directly to the Internet, NATed behind the address of your primary WAN uplink (You should be able to verify this through a packet capture on the Internet logical interface). I would look at whatever is upstream of your MX on that WAN port - but also feel free to contact Meraki Support, if there's nothing obvious there that's blocking comms to the ID'ed destinations.
thanks for your response!
I thought that too but when I read through this documentation - at the bottom of the page - my understanding is that it would be routed through the VPN…
https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior
That's a good point - what does packet capture reveal?
When you receive such info, I believe you can "download firewall test failures" , in which you will see which device has trouble to communicate to the new dashboard IP addresses;
To further confirm, just open a case with us, we can run backend commands to check whether it is really had trouble, same time, a real time capture can be taken to confirm which interface did the MX send mgmt traffic
regarding the documentation the check happens all 4-6 hours so it‘s hard to capture… is there a way to trigger it?
Actually no, I would suggest you to open a case with us first, once it was assigned, we can run some commands to check / capture in realtime.
Be aware of some known issues-- if your MX use WAN2 or cellular as only uplink , you will get the banner saying your MX has trouble communicate with new IP range, but probably not at all, to confim it, just open case with us please