MX100 FW 14.31

joemailey
Comes here often

MX100 FW 14.31

I'm having an issue where some sites fail to load, but a refresh fixes them.

 

These are two links I'm seeing the failure on https://code.jquery.com/jquery-2.1.0.min.js

https://code.jquery.com/jquery-3.1.0.min.js

It also happens on other sites link: https://www.ultimate-guitar.com/

This site can’t be reached
code.jquery.com is currently unreachable.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_SSL_VERSION_INTERFERENCE

 

This site can’t be reached
code.jquery.com unexpectedly closed the connection.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_CLOSED

Now I've by-passed my network (MX, switches, access points - all Meraki)

Connected my laptop to our ISP using one of our spare static IPs. 

Everything seems to work fine. 

 

Those error messages come up pretty fast, almost as if the connection is instantly rejected. 

Sometimes the browser will refresh straight away its self and the site works, other times I need to refresh. Then if I keep refreshing I will eventually get one of the messages above.

 

 

Has anyone else experienced anything like this? Seems to be something odd on the network, which is resolved when by-pass the Meraki kit. We also run a warm spare MX setup. Not sure if that has anything to do with it.

6 REPLIES 6
nealgs
Building a reputation

Not seen that issue as yet (installed a couple of MX100's in a warm spare config yesterday).  They are running firmware 13.33 - not signs of firmware update showing or reporting on console either.

Adam
Kind of a big deal

To test, try changing your content filter setting from 'Full List' to 'Top Sites'.  You'll get less coverage but I'm curious to see if this solves your issue.  We ran into a similar issue on a prior firmware. 

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
joemailey
Comes here often

I'm already set to top sites, even tried whitelisting jquery.com to see if it makes a difference.

Also tried whitelisting my client to see if it made a difference.

So far nothing yet. 

 

It's such a strange issue. 

I never knew it happened until a user brought it to my attention yesterday.

nealgs
Building a reputation

14.31 is still marked as Beta firmware - maybe a bug in that release - can you go back to 13.33 firmware and try the same thing?

joemailey
Comes here often

I might give this a go. See if it resolves it.

I never rolled back the FW, have left it with support to dig in to.
To see if they can solve it.

If they recommend rolling back the firmware I'll give it ago.

It seems to fail on the SSL check, I'm wondering if Meraki's inspection is doing something to break it.

 

 openssl s_client -connect code.jquery.com:443 -verify 1
verify depth is 1
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
 openssl s_client -connect code.jquery.com:443 -verify 1
verify depth is 1
^[[A
CONNECTED(00000005)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = code.jquery.com
verify return:1
---
Certificate chain
 0 s:/CN=code.jquery.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGMDCCBRigAwIBAgISA5oYpQN6dgTwhVNCwRCVh3frMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MTgxNDE4MTlaFw0x
ODA5MTYxNDE4MTlaMBoxGDAWBgNVBAMTD2NvZGUuanF1ZXJ5LmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALRxhkfhH/JpjGvo164zJF3JI8fiRJOp
Uhc45mst/oDy9/OVm98s2van2H5MGW1erCULSQ/HmqStdhwMOtmL1zhuwG6iYoZn
bp/QSAljhiV0LO6cuBBtJME+3kkHrUFwLMh6iSqFkIRbHIquSp4ii242qZ0hhcol
o7zYATDMHSUMqiCkq04XmgUugiFRfzljnS87VmcQ5hD30DTIj9efQug22NzrM+Rt
oqt4B8/tESb7GcFnHBtkKaGeFj3Cx6CaOqVb12XOJPp4+FaYmhV5i5bZ87sLoMaM
xC1gczbgkR6C4db/1njI5PVYHxUi8oyUyMndR3Hr8nJUBtCmBK7TXdsCAwEAAaOC
Az4wggM6MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUNAPHfJ95zS5MSdW2cmd/FiNu
JW8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzBBBgNVHREEOjA4gg9jb2RlLmpxdWVyeS5jb22CEmNvbnRlbnQuanF1ZXJ5
LmNvbYIRc3RhdGljLmpxdWVyeS5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEw
geYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1h
eSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25s
eSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3Vu
ZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisG
AQQB1nkCBAIEgfUEgfIA8AB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2
H79kAAABZBN5snIAAAQDAEcwRQIhAOS/SdofV9VT6ZTVCLsaEb5Ma6h6jsRv8WaR
ESoRM4AsAiBJYoTZdS/z1JLdEU4rYM2mniNC6/fjF2/MPcovLRbBRAB2ACk8UZZU
yDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZBN5soIAAAQDAEcwRQIgUMUF
wUYHpiCqOSsioy9blUSKr2ibizs7wzesYQ11rnkCIQDKkEyoua4bjEvOGrmSYatn
84bYu35e7etJZXxN6vpFwTANBgkqhkiG9w0BAQsFAAOCAQEAm2qJ+kRQm6FXZSyZ
ugGhilFKRkhgtJJAo6gnOG4zyn2xCIZQPOtMS2gfX8BbSA0fBxi4HDsw9wfoiVh7
iMZ1QLlNq+d/8WtEvh47hJh5pkXqYNJKzAdf4ngL8uJ3nmDuhcKStzkeP3sejYsq
np2wIt1MsnAgReyegYSH9/9Yieea1yz3tQd8Oxjp+JLRZtFOtDwpvwxeLb0t1mDl
2oVmDZCNvn3iTnTref1ewyRbRh/7/F3OHvrZbFhO3g13wC+t5v+m19MWUIaBCCBw
WVLrrDqYo3IWW4EwG5GzccQ3peW/IcmFmVOZFmy64ai2sPpLkRuGw9qfEuhTDU9C
nRmsAA==
-----END CERTIFICATE-----
subject=/CN=code.jquery.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3419 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B44AF44115BB70789F67A5D88EA5CD9D1676D27A14FEB9F37433E716CFD4AEC0
    Session-ID-ctx: 
    Master-Key: 0BB2EFEBF7FE5F1127BDC3FC6563A0259352760BE40BE127A2DB7C0F62AD697E49A29F9D641949870953E66D449C82EB
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - 96 11 28 ab 72 c3 f6 0b-b9 3c f6 54 02 cc 7f 86   ..(.r....<.T....
    0010 - 48 30 06 8a ac 1f 9e 7b-6c ae e6 96 be f6 fe f2   H0.....{l.......
    0020 - da d8 6a ce 4d c8 0b 2d-ce c6 2e 1a c3 71 fc 7b   ..j.M..-.....q.{
    0030 - b0 99 d3 0f fc 07 85 9b-6f 40 0b c2 7c 7a d5 09   ........o@..|z..
    0040 - 84 63 85 c0 92 2f e0 ae-46 7e df 7f d5 e3 84 a3   .c.../..F~......
    0050 - 62 0a 33 ce 9e b8 72 0f-4a 49 11 64 90 73 95 ac   b.3...r.JI.d.s..
    0060 - 65 c4 3f 9d 83 10 7f 3b-ec 65 05 ab 8d a6 2d da   e.?....;.e....-.
    0070 - 06 68 f7 9d 8a bf a7 e6-b5 00 75 8f f3 67 1f 2b   .h........u..g.+
    0080 - 6d 7f 12 c1 8c 72 9e 4c-5c e3 9d c0 48 39 f8 3b   m....r.L\...H9.;
    0090 - 42 8d f7 04 4f f6 70 cd-77 c5 5c 9b f9 f2 e9 48   B...O.p.w.\....H

    Start Time: 1534863710
    Timeout   : 300 (sec)
    Verify return code: 27 (certificate not trusted)
---
closed
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels