MX68 as the Edge Meraki Device to AT&T ISP Network Base Fire Wall fails to reach Meraki Dashboard

SOLVED
ospsms
Here to help

MX68 as the Edge Meraki Device to AT&T ISP Network Base Fire Wall fails to reach Meraki Dashboard

1a. Test network A configuration - Pass

     A. test 1 config - MX68 - Wan2 10.3.x.x port to RV160 Router vlan3 port ~~~>>> Cisco RV160 Router (10.xx.xx.1)~~~>>> ISP AT&T Router (10.xx.xx.2) ~~~>>> NBFW ~~~>>> MerakiDB

 

1b. I Tested the MX68 WAN2 port on vlan3 10.3.x.x port behind a Cisco RV160 Router's WAN 10.xx.xx.1 to ISP AT&T Avpn w/NBFW and reach the Meraki dashboard. Hence my ISP Network Based FireWall policies are working to reach the Dashboard...   

 

1c. From MerakiDB I configure/save successfully MX68 WAN1 to be the ISP WAN Network 10.xx.xx.1

 

 

Test network B configuration - Fail

   B. test 2 config   MX68 Wan1 (10.xx.xx.1) ~~~>>> ISP AT&T Router (10.xx.xx.2) ~~~>>> NBFW ~~~>>> MerakiDB

 

2a.  Move MX68 as the edge device WAN1 10.xx.xx.1 connect to ISP AT&T AVPN w/NBFW ... Reboot

2b. The MX68 fails to communicate to the MerakiDB ...  

 

My 1st troubling step was check FW Policy to reach MerakiDB ... See that only source addresses  intra-net vlans i.e. vlan3(10.3.x.x)...  Modified the FW Policy to add source network to be the Uplink network 10.xx.xx.0/24 ... Was seeing Deny to 64.62.142.12 UDP 7351, NOW after FW Policy change seeing accept 64.62.142.12 UDP 7351 ... But there must be other Meraki Firewall deny's ...

 

I used all the Upstream Firewall Rules for Cloud Connectivity to define my Meraki Dashboard/Backup Dashboard firewall policy...

 

There was a MerakiDB Troubleshooting note Fail to connect  """ This is generally caused by an upstream firewall not using stateful packet inspection. In this instance, the Meraki device's TCP SYN packet is reaching the cloud. When the cloud responds to the Meraki device with a TCP SYN/ACK, it is dropped by the firewall. The Meraki device waiting on the TCP SYN/ACK never receives it. Therefore an acknowledgement TCP ACK from the Meraki device is never sent back to the controller to establish the TCP connection. This is called one-way traffic. """

 

I don't understand how the MX68 connects to the MerakiDB (getting through the FW policy) behind a RV160 Router uplinked to the ISP,

But not connect to the MerakiDB when connected directly on the ISP uplink network.

 

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal

When it is not working, connect to the local status page and see what issue it is reporting.

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Me... 

View solution in original post

4 REPLIES 4
PhilipDAth
Kind of a big deal

When it is not working, connect to the local status page and see what issue it is reporting.

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Me... 

View solution in original post

Internet : The security appliance is not connected to the internet ... 

               The security appliance does not have a working DNS server

 

Cisco Meraki Cloud: This security appliance is not connected to the Cisco Meraki Cloud

 

gee Meraki missed out on this page to report what detailed step failed in the sequence to connect to the Cloud... Not much help from the Meraki design department...  

The local page indicated DNS problem... Since I moved the MX68 to the edge of the network before ISP Cloud based Firewall... The key Meraki FW policy to reach 8.8.8.8 Uplink connection monitor was the key to sustaining communication with the Meraki Cloud.

 

Source IP
 

 

Destination IP 
FQDN 
Ports 
Protocol 
Direction 
Description 
Devices using this rule 
 

 

5 total
Your network(s)108.161.147.0/24, 216.157.142.0/24, 216.157.143.0/24, 199.231.78.0/24, 64.62.142.12/32, 209.206.48.0/20 7351UDPoutboundMeraki cloud communicationAccess points, Cameras, MX Security Appliance, Switches
Your network(s)209.206.48.0/20 80, 443, 7734, 7752TCPoutboundBackup Meraki cloud communication, Backup configuration downloads, Measured throughput to dashboard.meraki.com, Backup firmware downloads, Meraki cloud communication, Splash pagesAccess points, Cameras, MX Security Appliance, Switches
Your network(s)Any 123UDPoutboundNTP time synchronization Access points, Cameras, MX Security Appliance, Switches
Your network(s)8.8.8.8/32 53UDPoutboundUplink connection monitorMX Security Appliance
Your network(s)8.8.8.8/32, 209.206.48.0/20  ICMPoutboundUplink connection monitorMX Security Appliance

 

Mikeylad
Here to help

Might not be relevant - But don't forget that depending on your environment: AT&T require one of their modems / routers (on both xDSL and yes Fiber) to authenticate to bring the IP layer up. If your have taken away the PE device - reconnect it and go into the GUI and set your mx as the passthrough. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels