MX68 as the Edge Meraki Device to AT&T ISP Network Base Fire Wall fails to reach Meraki Dashboard
1a. Test network A configuration - Pass
A. test 1 config - MX68 - Wan2 10.3.x.x port to RV160 Router vlan3 port ~~~>>> Cisco RV160 Router (10.xx.xx.1)~~~>>> ISP AT&T Router (10.xx.xx.2) ~~~>>> NBFW ~~~>>> MerakiDB
1b. I Tested the MX68 WAN2 port on vlan3 10.3.x.x port behind a Cisco RV160 Router's WAN 10.xx.xx.1 to ISP AT&T Avpn w/NBFW and reach the Meraki dashboard. Hence my ISP Network Based FireWall policies are working to reach the Dashboard...
1c. From MerakiDB I configure/save successfully MX68 WAN1 to be the ISP WAN Network 10.xx.xx.1
Test network B configuration - Fail
B. test 2 config MX68 Wan1 (10.xx.xx.1) ~~~>>> ISP AT&T Router (10.xx.xx.2) ~~~>>> NBFW ~~~>>> MerakiDB
2a. Move MX68 as the edge device WAN1 10.xx.xx.1 connect to ISP AT&T AVPN w/NBFW ... Reboot
2b. The MX68 fails to communicate to the MerakiDB ...
My 1st troubling step was check FW Policy to reach MerakiDB ... See that only source addresses intra-net vlans i.e. vlan3(10.3.x.x)... Modified the FW Policy to add source network to be the Uplink network 10.xx.xx.0/24 ... Was seeing Deny to 22.214.171.124 UDP 7351, NOW after FW Policy change seeing accept 126.96.36.199 UDP 7351 ... But there must be other Meraki Firewall deny's ...
I used all the Upstream Firewall Rules for Cloud Connectivity to define my Meraki Dashboard/Backup Dashboard firewall policy...
There was a MerakiDB Troubleshooting note Fail to connect """ This is generally caused by an upstream firewall not using stateful packet inspection. In this instance, the Meraki device's TCP SYN packet is reaching the cloud. When the cloud responds to the Meraki device with a TCP SYN/ACK, it is dropped by the firewall. The Meraki device waiting on the TCP SYN/ACK never receives it. Therefore an acknowledgement TCP ACK from the Meraki device is never sent back to the controller to establish the TCP connection. This is called one-way traffic. """
I don't understand how the MX68 connects to the MerakiDB (getting through the FW policy) behind a RV160 Router uplinked to the ISP,
But not connect to the MerakiDB when connected directly on the ISP uplink network.
The local page indicated DNS problem... Since I moved the MX68 to the edge of the network before ISP Cloud based Firewall... The key Meraki FW policy to reach 188.8.131.52 Uplink connection monitor was the key to sustaining communication with the Meraki Cloud.
Might not be relevant - But don't forget that depending on your environment: AT&T require one of their modems / routers (on both xDSL and yes Fiber) to authenticate to bring the IP layer up. If your have taken away the PE device - reconnect it and go into the GUI and set your mx as the passthrough.