Hi PhilipDath,

 

L7 only block All P2P, Video and Music and Gaming.

Content Filtering only blocks some category that has nothing to do with Microsoft update and Adobe update. ( Unless Microsoft uses P2P Protocol to push update? ) 

 

This only happens on my MX100. I have many MX65W with the same config without any issue. 

 

I called Meraki support twice regarding this issue for a month now and they gve me the same answer. 

 

Hope to hear back from some other MX100 users.

Try removing the L7 rules and see if that fixes it.  If not put them back.  Repeat with the contenting filtering rules.

 

One of those items should get it working again. Tell us which one it was.

Hello @Jack

 

I have an MX100 sitting as a cold spare to our MX250.  I will fire this up and create a test network and try to duplicate the issue.  When we had the MX100 in operation AMP was grabbing Console8 updates as malicious.  I am assuming AMP is enabled and what are you IDS settings? Prevention and Balanced?  Just want to duplicate your settings here.  

Thanks for your help. IDS set to Prevention - balance.

Hello Again @Jack

 

I have a spare MX100 running 12.24 that I reset back to factory and I enabled AMP and IDS like you have, see screenshots.  I also added the L7 rules you mentioned above.  I happen to have an extra connection to the outside world with a public IP, so there is not a double NAT taking place here.  I had no problem fetching updates from windows update servers or adobe updates.  if this traffic was getting grabbed by IDS or by AMP, there would be a log of that event that is easy to find the in security center.  

 

This very much sound like an issue with Content Filtering, more specifically IP/URL reputation as @PhilipDAth mentioned.  

 

"In firmware version 13.3, URL reputation was prioritized over IP reputation, as opposed to IP reputation being the deciding factor on previous firmware versions. If, for some reason, the IP has a different categorization then the URL, the client could be allowed through."

 

I can tell you that I am running MX 14.15 on an MX250 and I have not been adversely affected by this beta firmware in a production environment with 1000+ daily clients.  

 

"If a client is being blocked from accessing a page, the easiest way to tell whether content filtering is blocking the traffic is to check your Event Log. When looking at the Security Appliance's network in the dashboard, navigate to Network-wide > Monitor > Event log. To help narrow down the scope, the event type 'Content filtering blocked URL' can be included in the 'Event type include' field."

 

I hope this helps. 

 

Ryan 

 

 

 

I dont think Event log shows whats being block on AMP. Any Idea what event to sort?

If you go:

Security Appliance/Security Centre/Events

Does anything come up?

I don't see anything special within that log. We have 100+ PC and all 100+ Pc cannot update windows when AMP is turn on . Meraki support solution is to update to the beta firmware which im not very comfortable doing... just looking for a workaround for now.

And you are saying that if you disable AMP it starts working?  If there is nothing in that log then it should mean that AMP is not blocking your traffic.

 

The beta firmware is pretty good.  You are unlikely to find any issues if you upgrade to it.

Yes as soon as i disable AMP everything work. When i turn it on then Windows update stop working again. I think is a knows MX100 issue.

Here is what show up on the log but i dont think those are windows update

Oct 13 12:19:22 IDS Alert 209.66.87.99.IPYX-073920-004-ZYO.zip.zayo.com
209.66.87.99:80

S
Blocked
BROWSER-IEMicrosoft Edge xlink type confusion memory corruption attempt
Oct 13 12:09:00 IDS Alert a23-219-162-115.deploy.static.akamaitechnologies.com
23.219.162.115:80

S
Blocked
BROWSER-IEMicrosoft Edge xlink type confusion memory corruption attempt
Oct 13 12:04:00 IDS Alert a23-219-162-115.deploy.static.akamaitechnologies.com
23.219.162.115:80

S
Blocked
BROWSER-IEMicrosoft Edge xlink type confusion memory corruption attempt

We can probably solve this now we know the IDS is triggering.

 

Go:

Security Appliance/Threat Protection/Intrusion detection and prevention

Under "Whitelisted Rules" click "Whitelist an IDS rule".  Select the rule that is firing above the in the log.

 

@Jack  May I get a screen capture of your content filtering and layer 3 / 7 rules? 

 

You are running MX 12.24 correct? 

 

Ryan 

yes 12.24

Sorry i cannot share my L3/7 rule here. preety basic..only blocking few /32 ip. CF blocking P2P, Video and Gaming

Meraki support told me that V13 will not even solve my issue. I have to schedule a firmware update and they need to manually push V14 for this issue to be resolve. But its on Bata. Scary. I just dont understand why Cisco Meraki cannot make a windows update to work on a stable firmware? 

@Jack  I wrote out a really lengthy reply and added screenshots, it now disappeared or was removed, did you get a chance to see that reply? 

I saw it on my email and Im trying to reply and then its gone on the forum .. someone deleted it maybe for privacy issue? Its funny that it works for you but not me.  I did not have the chance to look at your screenshot. I guess i have no choice but to upgrade to the new beta firmware... im sure it will work. Worst case Revert back to V12. Thank you again for all your help !! 

 

 

Yes its a known issue i guess... just not happy with Meraki ignoring this major issue for so long... Its been going on for months... their only solution is by upgrading to the Beta firmware. Why is there not a stable version that has this issue resolved? Why does paid customer production network needs to be their lab rat? Anyway ill update to V14. Thank you for doing all this for me !!

This is STILL and issue (11/2018). We haven't been able to access any Windows updates for over a month. We did have AMP enabled at our colo (MX 100 running 13.33) How TF can this be an open issue with production firmware Meraki? Not being able to update Windows is almost criminal. Disabled AMP on the network and updates are working.

@chrismoses

 

I understand the frustration, however I think it might be OK now to upgrade to 14.X if your willing. That seems to have fixed the issue based on others from this thread.

This will be the third *major* issue that we've encountered this year where the fix was installing beta firmware. That's nuts.

Disabling AMP for 10 min and enable it works for me. Try that. 

Hi @Jack and @Ryan-Zimmerle -
Apologies about the message getting deleted - our community's spam filter is a bit over-active and it flagged that post. I added it back. I'm also looking into how to tone down the filter!
Cheers!
- Caroline

Hello @CarolineS, 

 

Thank you for jumping in here and letting us know, so nice to have some Cisco Meraki presence here.  

We have the same issue. This seems to be a known problem with the MX100 only. I tried everything to find a workaround but no luck. Here is basically your option.

1) turn off AMP
2) upgrade to v13 firmware beta ( I did that on my environment with 500 users and multiple vpn etc and it works great so far.) worst case 1 click roll back to V12. I understand the word beta is scary but v13 already been around for a long time. V14 already available but Meraki support need to manually push it on their end. My suggestion is upgrade to V13 and keep your eye on it.

I'v been having same issue since 2016. A couple of our Meraki sites (MX64's) have reported file download failures when AMP is enabled. This issue manifest itself in a weird way, they work sometimes.

 https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Advanced_Malware_Prote...)

This is a known issue with Cisco Meraki AMP, Sometimes files will change disposition based on new threat intelligence gained by the AMP cloud and sees clean files as Malicious, then blocked.

Per Meraki, most customers are experiencing similar issues and they are working on a permanent fix soon????

Since we don’t want to disabled AMP as a fix, here is a workaround;

1. Turning AMP off & on for 10 minutes and then whitelist the URL sometimes seems to do the trick.
2. In some instances, code upgrade to 13.25 beta firmware may resolve the issue, but I won’t recommend this, as they have not always worked for every MX and can cause other network issues (Verify with Meraki first).

Yup seen this too. Meraki MX64 and 64W.

 

Solution is to add site to whitelist, turn off AMP - wait, turn on AMP - wait.

 

I whitelisted the following for Windows Updates..

 

microsoft.com

windowsupdate.com

 

Meraki filtering assumes all subdomains allowed as well on the above.

Thank you, just wanted to reply stating c0sm0's workaround fixes the issue. I'm running WSUS for domain joined machines, but some BYOD laptops on our wifi could not get windows updates over the internet. Running MX100 and MX64 on 13.3

For this problem, the best solution is to install the 14.x beta firmware. It prevents AMP from getting "indigestion" and blocking downloads based on false positives.

 

My procedure is:

 

Restart AMP: disable it, save, wait for MX to update its config, then re-enable it.

 

Enable beta firmware under Network wide->General and schedule an update for maintenance window via Organization->Firmware Updates.