cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX68 as the Edge Meraki Device to AT&T ISP Network Base Fire Wall fails to reach Meraki Dashboard

SOLVED
Go to solution
ospsms
Here to help
‎09-09-2021 07:56 AM
‎09-09-2021 07:56 AM

MX68 as the Edge Meraki Device to AT&T ISP Network Base Fire Wall fails to reach Meraki Dashboard

1a. Test network A configuration - Pass

     A. test 1 config - MX68 - Wan2 10.3.x.x port to RV160 Router vlan3 port ~~~>>> Cisco RV160 Router (10.xx.xx.1)~~~>>> ISP AT&T Router (10.xx.xx.2) ~~~>>> NBFW ~~~>>> MerakiDB

 

1b. I Tested the MX68 WAN2 port on vlan3 10.3.x.x port behind a Cisco RV160 Router's WAN 10.xx.xx.1 to ISP AT&T Avpn w/NBFW and reach the Meraki dashboard. Hence my ISP Network Based FireWall policies are working to reach the Dashboard...   

 

1c. From MerakiDB I configure/save successfully MX68 WAN1 to be the ISP WAN Network 10.xx.xx.1

 

 

Test network B configuration - Fail

   B. test 2 config   MX68 Wan1 (10.xx.xx.1) ~~~>>> ISP AT&T Router (10.xx.xx.2) ~~~>>> NBFW ~~~>>> MerakiDB

 

2a.  Move MX68 as the edge device WAN1 10.xx.xx.1 connect to ISP AT&T AVPN w/NBFW ... Reboot

2b. The MX68 fails to communicate to the MerakiDB ...  

 

My 1st troubling step was check FW Policy to reach MerakiDB ... See that only source addresses  intra-net vlans i.e. vlan3(10.3.x.x)...  Modified the FW Policy to add source network to be the Uplink network 10.xx.xx.0/24 ... Was seeing Deny to 64.62.142.12 UDP 7351, NOW after FW Policy change seeing accept 64.62.142.12 UDP 7351 ... But there must be other Meraki Firewall deny's ...

 

I used all the Upstream Firewall Rules for Cloud Connectivity to define my Meraki Dashboard/Backup Dashboard firewall policy...

 

There was a MerakiDB Troubleshooting note Fail to connect  """ This is generally caused by an upstream firewall not using stateful packet inspection. In this instance, the Meraki device's TCP SYN packet is reaching the cloud. When the cloud responds to the Meraki device with a TCP SYN/ACK, it is dropped by the firewall. The Meraki device waiting on the TCP SYN/ACK never receives it. Therefore an acknowledgement TCP ACK from the Meraki device is never sent back to the controller to establish the TCP connection. This is called one-way traffic. """

 

I don't understand how the MX68 connects to the MerakiDB (getting through the FW policy) behind a RV160 Router uplinked to the ISP,

But not connect to the MerakiDB when connected directly on the ISP uplink network.

 

 

0 Kudos
Subscribe
1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal
‎09-09-2021 02:16 PM
‎09-09-2021 02:16 PM

When it is not working, connect to the local status page and see what issue it is reporting.

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Me... 

View solution in original post

Subscribe
4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎09-09-2021 02:16 PM
‎09-09-2021 02:16 PM

When it is not working, connect to the local status page and see what issue it is reporting.

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Me... 

Subscribe
In response to PhilipDAth
ospsms
Here to help
‎09-09-2021 07:33 PM
‎09-09-2021 07:33 PM

Internet : The security appliance is not connected to the internet ... 

               The security appliance does not have a working DNS server

 

Cisco Meraki Cloud: This security appliance is not connected to the Cisco Meraki Cloud

 

gee Meraki missed out on this page to report what detailed step failed in the sequence to connect to the Cloud... Not much help from the Meraki design department...  

0 Kudos
Subscribe
In response to PhilipDAth
ospsms
Here to help
‎09-12-2021 08:13 AM
‎09-12-2021 08:13 AM

The local page indicated DNS problem... Since I moved the MX68 to the edge of the network before ISP Cloud based Firewall... The key Meraki FW policy to reach 8.8.8.8 Uplink connection monitor was the key to sustaining communication with the Meraki Cloud.

 

Source IP
 

 

Destination IP 
FQDN 
Ports 
Protocol 
Direction 
Description 
Devices using this rule 
 

 

5 total
Your network(s)108.161.147.0/24, 216.157.142.0/24, 216.157.143.0/24, 199.231.78.0/24, 64.62.142.12/32, 209.206.48.0/20 7351UDPoutboundMeraki cloud communicationAccess points, Cameras, MX Security Appliance, Switches
Your network(s)209.206.48.0/20 80, 443, 7734, 7752TCPoutboundBackup Meraki cloud communication, Backup configuration downloads, Measured throughput to dashboard.meraki.com, Backup firmware downloads, Meraki cloud communication, Splash pagesAccess points, Cameras, MX Security Appliance, Switches
Your network(s)Any 123UDPoutboundNTP time synchronization Access points, Cameras, MX Security Appliance, Switches
Your network(s)8.8.8.8/32 53UDPoutboundUplink connection monitorMX Security Appliance
Your network(s)8.8.8.8/32, 209.206.48.0/20  ICMPoutboundUplink connection monitorMX Security Appliance

 

0 Kudos
Subscribe
Mikeylad
Here to help
‎09-10-2021 07:38 PM
‎09-10-2021 07:38 PM

Might not be relevant - But don't forget that depending on your environment: AT&T require one of their modems / routers (on both xDSL and yes Fiber) to authenticate to bring the IP layer up. If your have taken away the PE device - reconnect it and go into the GUI and set your mx as the passthrough. 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki