MX Device-to-Cloud Connectivity

whistleblower
Building a reputation

MX Device-to-Cloud Connectivity

Hi all,

 

in the Dashboard, I can see this notficiation "Our automated tests show that you have one or more Meraki devices unable to reach our plaform on IP address ranges 216.157.128.0/20 and 158.115.128.0/19."

https://documentation.meraki.com/General_Administration/Other_Topics/Cloud_Maintenance_New_IP_Ranges...

 

In my setup I´m using Auto-VPN and the Default-Route is announced/used via the Tunnel to my Hub!

Unfortunately I can`t see the source IP-Address in the FIrewall-Test-Failures.csv report which is used from the MX to the Cloud?! I´ve quite a lot of VLANs configured on the MX (SVI) and I think I´ve heard that the highest one will be used for the Management Traffic, is this correct?

 

Maybe someone can point me to a documentation which explaines the behaviour?

 

thanks a lot!

 

6 Replies 6
GreenMan
Meraki Employee
Meraki Employee

The management traffic from your MX to the Meraki cloud will not use its own AutoVPN tunnel - even though it provides a default route for user traffic (at least - for those VLANs that are VPN = enabled.  This traffic will break out directly to the Internet, NATed behind the address of your primary WAN uplink (You should be able to verify this through a packet capture on the Internet logical interface).   I would look at whatever is upstream of your MX on that WAN port - but also feel free to contact Meraki Support, if there's nothing obvious there that's blocking comms to the ID'ed destinations.

whistleblower
Building a reputation

thanks for your response!

I thought that too but when I read through this documentation - at the bottom of the page - my understanding is that it would be routed through the VPN…

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior

 

 

GreenMan
Meraki Employee
Meraki Employee

That's a good point - what does packet capture reveal?

Bo_Tang
Meraki Employee
Meraki Employee

When you receive such info, I believe you can "download firewall test failures" , in which you will see which device has trouble to communicate to the new dashboard IP addresses;

 

To further confirm, just open a case with us, we can run backend commands to check whether it is really had trouble, same time, a real time capture can be taken to confirm which interface did the MX send mgmt traffic

whistleblower
Building a reputation

regarding the documentation the check happens all 4-6 hours so it‘s hard to capture… is there a way to trigger it?

Bo_Tang
Meraki Employee
Meraki Employee

Actually no, I would suggest you to open a case with us first, once it was assigned, we can run some commands to check / capture in realtime.

 

Be aware of some known issues-- if your MX use WAN2 or cellular as only uplink , you will get the banner saying your MX has trouble communicate with new IP range, but probably not at all, to confim it, just open case with us please

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels